Hold onto your butts, kids, we’ve got a doozy of a story. Let’s take this one slow: a class-action lawsuit has been filed in Pennsylvania accusing the Lower Merion school district of “unauthorized, inappropriate and indiscriminate remote activation” of webcams in laptops issued to students, without prior knowledge or consent. The tale begins when Assistant Principal Lindy Mastko of Harriton High School informed a student that he was “engaged in improper behavior in his home”; the suit alleges that when pressed for details, Mastko told both the boy and his father that the school district could remotely activate the webcam — a capability that is apparently being used.
The school district has yet to respond to the accusations, so at this point we’ve only got the plaintiff’s side of the story — for all we know this kid took a picture of himself and somehow accidentally uploaded it on the school network. Then again, some purported Lower Merion students just emailed Gizmodo and claimed that their MacBooks’ green webcam lights went on at random times, but they were told by IT support that it was just a technical glitch. Holy alleged invasion of privacy, Batman, this could get mighty interesting. PDF of the complaint available below.
Update: The Lower Merion School District superintendent Christopher McGinley has issued an official response on its website, acknowledging “a security feature intended to track lost, stolen and missing laptops.” Going further, he says the district ” has not used the tracking feature or web cam for any other purpose or in any other manner whatsoever” but that the matter is “under review.”
Looks like all that GSM code-cracking is progressing faster than we thought. Soon after the discovery of the 64-bit A5/1 GSM encryption flaw last month, the geniuses at Israel’s Weizmann Institute of Science went ahead and cracked the KASUMI system — a 128-bit A5/3 algorithm implemented across 3G networks — in less than two hours. If you must know, the method applied is dubbed ‘related-key sandwich attack’ where multiple values of known differentials are processed through the first seven rounds of KASUMI, then using resulting quartets that are identified sharing key differences, subkey materials can be obtained in round eight to build up the 128-bit key. Sure, it’s hardly snooping-on-the-go at this speed, but worryingly this was only an ‘unoptimized implementation… on a single PC.’ At the same time, the paper condemns the presumably red-faced GSM Association for moving from MISTY — a more computationally-expensive but much stronger predecessor algorithm — to KASUMI. Guess we’ll just have to stick with Skype.
If you allow applications to save your passwords, anyone with physical access to your PC can decode them unless you’re properly encrypting them—and chances are pretty good you’re not. Let’s walk through the right and wrong ways to store your passwords.
For the purpose of this article, we’ll assume that the people you allow into your house are trustworthy enough not to hack your passwords, and your laptop has been stolen instead—but the tips here should apply to either scenario. Regardless of how you choose to save your passwords, you should make sure to use great passwords and even stronger answers for security questions.
Once You Click “Remember Password” It’s All Over
Almost any application that requires you to login to something will also provide an option to save your password, and once you’ve done that, your password may as well be plain text. Behind the scenes, even if the application encrypts the account information, it’s doing so with a static key that can be easily deciphered through some reverse engineering, and somebody not only can, but already has created a utility to recover those passwords.
That’s right, your favorite open-source, multi-protocol instant messenger client stores your passwords in plain text. If you don’t believe me, just open up your %appdata%\.purple\accounts.xml file in your favorite text editor, and you’ll see your passwords right there for anybody to read.
The decision to store the passwords in plain text is a deliberate one that’s been thoughtfully considered, and while you might initially think it’s a terribly insecure way to handle security, keep in mind that you can simply download any number of utilities like Nirsoft’s MessenPass and recover the passwords from AIM, Windows Live Messenger, Trillian, Miranda, Google Talk, Digsby, etc. The Pidgin developers point out that their option is actually the preferred method for security:
Having our passwords in plaintext is more secure than obfuscating them precisely because, when a user is not misled by a false sense of security, he is likely to use the software in a more secure manner.
The best answer, of course, is to not allow your IM client to store your passwords at all—but if you must store them, you should at least use the built-in Windows encryption, if not a full-blown TrueCrypt setup. Either option would be better than the pseudo-protection most other applications provide.
Password Managers Are the Only Secure Storage
The only truly secure way to store your passwords is to use a password manager to securely track your passwords, combined with a a great master password to protect the rest of your saved passwords—if you use an easy password for your password manager, it would be easy to crack with a brute force attack. Don’t lure yourself into a false sense of security by just using one—your password manager password should be at least 10 alpha-numeric characters if you really want to be secure.
You’ve got a number of great password managers to choose from, like reader favorite Keepass, a cross-platform tool which has many plugins that help you master your passwords and make using a password manager easier to deal with. And, of course, let’s not forget that Firefox has a full password manager built right into the application.
Use a Firefox Master Password (With More Than 8 Characters)
If you want to use Firefox to save the passwords for all your web accounts, you should make sure to enable a Firefox Master Password by heading into Tools –> Options –> Security and checking the box for Use a master password.
Once you’ve done this, Firefox will store all of your passwords with nearly unbreakable AES encryption—providing you use a password with more than 8 alpha-numeric characters and at least one capitalized letter. If you used a weak and pathetic password like “secret”, it could be broken in a matter of minutes with a brute force cracking tool, but a decent 8+ random character password will take at least 73 years for a brute force attack.
Each time you start Firefox and go to a site that requires a saved password, you’ll be first prompted for your master password. By default, the master password authentication will be active for the entire session, but you can use the Master Password Timeout extension to lock your master password again after a certain interval, which is handy if you walk away from your desk without remembering to lock it with Win+L.
Use TrueCrypt to Encrypt Everything
Rather than deal with password managers or whether or not to save your passwords, you could simply create a separate, encrypted TrueCrypt drive, and use portable versions of your applications to keep everything totally secure. If you’re even more paranoid, you can use TrueCrypt to encrypt the entire hard drive—you will be prompted for a password every time you boot, but you can relax knowing that anything you do will be encrypted, even if you use scripts with your passwords stored in plain text. If TrueCrypt isn’t your thing, you can use the built-in encryption functionality in Windows—just keep in mind that if you change your password your data will be inaccessible, and your Windows password can be cracked, giving them full access to your files.
Are you already using a password manager or encryption to keep your passwords secure? Share your best password security tips in the comments.
The How-To Geek uses Keepass and a tough password scheme to keep his accounts secure. His geeky articles can be found daily here on Lifehacker, How-To Geek, and Twitter.
Did you know that the vast majority of calls carried out on the 3.5 billion GSM connections in the world today are protected by a 21-year old 64-bit encryption algorithm? You should now, given that the A5/1 privacy algorithm, devised in 1988, has been deciphered by German computer engineer Karsten Nohl and published as a torrent for fellow code cracking enthusiasts and less benevolent forces to exploit. Worryingly, Karsten and his crew of merry men obtained the binary codes by simple brute force — they fed enough random strings of numbers in to effectively guess the password. The GSM Association — which has had a 128-bit A5/3 key available since 2007, but found little takeup from operators — has responded by having a whinge about Mr. Nohl’s intentions and stating that operators could just modify the existing code to re-secure their networks. Right, only a modified 64-bit code is just as vulnerable to cracking as the one that just got cracked. It’s important to note that simply having the code is not in itself enough to eavesdrop on a call, as the cracker would be faced with just a vast stream of digital communications — but Karsten comes back to reassure us that intercepting software is already available in customizable open source varieties. So don’t be like Tiger, keep your truly private conversations off the airwaves, at least for a while.
It’s definitely shaping up to be the year of e-book readers: the Amazon Kindle is flying off (virtual) shelves, and we’d expect the Barnes & Noble Nook to start moving at a decent clip once the kinks get worked out. But any device with an always-on 3G connection to a central server raises some privacy questions, especially when it can broadcast granular, specific data about what you’re reading — data that’s subject to a wide spectrum of privacy laws and regulations when it comes to real books and libraries, but much less so in the digital realm. We’d say it’s going to take a while for all the privacy implications of e-books to be dealt with by formal policy, but in the meantime the best solution is to be informed — which is where this handy chart from our friends at the Electronic Frontier Foundation comes in. As you’d expect, the more reading you do online, the more you can be tracked — and Google Books, the Kindle, and the Nook all log a ton of data that can be shared with law enforcement and various other third parties if required. Of course, we doubt the cops are too interested in your Twilight reading habits, but honestly, we’d rather users weren’t tracked at all. Check the full chart and more at the read link.
Windows/Mac: Opera’s developers have released a very unstable but promising version of their web browser into the open. What does Opera 10.5 have to offer? If a quick test is any indication, faster JavaScript speed than any browser out there.
Based on Opera’s reports of their new JavaScript engine, Caraken, being “7x faster” than the standard Futhark engine built into Opera 10.10, we ran it through Mozilla’s Dromaeo JavaScript tests, which combine Apple’s SunSpider and Google’s V8 JavaScript benchmarks. Pure runs-per-second speed isn’t everything, of course, and engines can be built specifically to max out in these kinds of tests. That said, the results of Opera 10.5, rolled into our last round of browser speed tests, were more than a little impressive, using Dromaeo as a measuring stick:
The chart up top is pulled from our most recent speed tests, with Opera 10.5 pre-alpha results rolled in. It shows some, shall we say, notable improvement. The gHacks blog put 10.5 against Firefox 3.6 beta and Chrome’s development build in the SunSpider and V8 tests and found that Opera either beat, or came very close to, Chrome, in those separate runs, and usually left Firefox in the dust. We’ll have to put Opera 10.5 through its full paces when it’s out of its very unstable build.
If you’re the adventurous type and do want to give the pre-alpha a try, you’ll also find improvements to the page rendering engine, new Private Browsing tabs and windows that don’t track any history, and some interface and visual design tweaks, detailed in the post below. The big JavaScript improvements aren’t as pronounced on the Mac build as on Windows, according to the development team, but are still there.
Opera 10.5 pre-alpha is a free download for Windows and Mac systems. Tell us if you think there’s some real speed-ups in this build, and what else you like, in the comments.
Young American woman travels over to Jerusalem to meet some friends, see the sights, live the life. Overzealous border security officers ask her a bunch of questions, take issue with her answers, and a few well-placed bullets later she is allowed entry into the country with a somewhat altered MacBook in tow. So what can we all learn from this incident? Firstly, back up all the data you consider important; B, Israeli policemen don’t mess about; and 3, distressed laptops look gorgeous no matter how they got there — just look at the way the glass trackpad has wrinkled up from the force of the bullet penetrating near it, it’s a borderline work of art. The young lady in question has been promised compensation, but lest you think this is a one one-off you can see pictures of an equally dead Dell at the Flickr link below. We’ve got a couple more close-ups of the ravaged MacBook after the break.
[Thanks, Itai N.]
Update – We’ve tracked down a video interview with Lily herself, which shows off a few more angles of the former MacBook and current article of modern art — check it after the break.
P.S. – As always, we encourage a discussion. A sensitive, intellectual, worldly discussion. If you can’t infer what it is we’re asking of our dear readers tempted to intone on this matter, then please skip commenting on this thread, mkay?
They call themselves the Worldwide Loyalty Team. Among some employees, they are known as the Apple Gestapo, a group of moles always spying in headquarters and stores, reporting directly to Jobs and Oppenheimer. Here’s how they hunt people down.
“You may want to know about their Worldwide Loyalty Team,” Tom told me recently in an email. I read what he had to say. It felt like a description of the Gestapo, without the torture and killing part.
Tom never lived in Nazi Germany, back in the time when the Geheime Staatspolize had the power to get into any house or any office, at any time of the day or night, without any warrant or reason, to seize whatever or whoever they wanted in their never ending search to find enemies of the state. A place in which you had no right to privacy whatsoever. A place in which you were guilty until proven otherwise.
No, Tom never lived in Nazi Germany, nor in East Germany, nor in the Soviet Union, nor in Communist China. He lives in the United States. For sure, he has never been scared of losing his life nor the ones he loves, like thousands of millions in those countries. But he knows how it feels to be watched, to always be considered guilty of crimes against another kind of state. He knew how it felt to have no privacy whatsoever when he was working right here, in a little Californian town called Cupertino, in a legendary place located in One Infinite Loop.
Tom knew about all that pretty well, back when he was working at Apple Inc.
Operation Lockdown
Of course, if Tom had never sent any sensitive information to media outlets, he would have never had the fear of being caught, only to get fired and sued into oblivion by Apple Legal. But the lack of any privacy whatsoever is something that he shared with all his fellow employees.
“Apple has these moles working everywhere, especially in departments where leaks are suspected. Management is not aware of them,” he told me, “once they suspect a leak, the special forces—as we call them—will walk in the office at any hour, especially in the mornings. They will contact whoever was the most senior manager in the building, and ask them to coordinate the operation.”
The operation, as Tom calls it, is not anything special. It is not one of a kind event. It’s just a normal practice, and the process is pretty simple: The manager will instruct all employees to stay at their desks, telling them what to do and what to expect at any given time. The Apple Gestapo never handles the communication. They are there, present, supervising the supervisors, making sure everything goes as planned.
All cellphones are then taken. Usually, they collect them all at the same time, which means that the process could take a long time. If you need to contact the exterior during the time your cellphone is under examination, you will have to ask for permission, and your call will be monitored.
They don’t ask for cameras because there are no cameras at Apple: Employees are not allowed to get into the campus with them. If the cellphone is an iPhone, it gets backed up onto a laptop. “In fact, at the beginning they used to say that the iPhones were really their property, since Apple gave every employee a free iPhone,” he points out. All the employees are asked to unlock and disable any locking features in their cellphones, and then the special forces will proceed to check them for recent activity.
They back up everything and go through all the other phones’ text messages and pictures. If you have porn in your phone, they will see it. If you have text messages to your spouse, lover, or Tiger Woods, they will see them, too. Just like that. No privacy, no limits.
While all this is happening, the employees are ordered to activate the screensaver on their computers, so the special forces are sure there are no chats happening between employees or with the exterior. They are told not to speak, text or call one other when the lockdown is happening: “It is like a gag order, and if the employee does not want to participate, they are basically asked to leave and never come back.”
2009 Is Like “1984”
Of course, all this is voluntary. Management recommends that you relinquish your phones. If you don’t do it they will fire you, or they will investigate why you didn’t want to give them your cellphone. Simultaneously, everyone is asked to sign NDA’s during the investigations, even though they already signed Apple NDAs to work there.
“I was at several events. When they find what they are looking for—which they usually do—the person is asked to stay until the end of the business day. Then he is asked to leave the premises quietly, escorted by security,” Tom says. While he’s there, the special forces hang around, watching. “There is a lot that goes behind doors that I don’t really know about. I do know, however, that they really interrogate people that are serious suspects, intimidating them by threatening to sue.”
There is no way to know how often this happens, however, as everything is handled very quietly. The same Worldwide Loyalty Team does many other things to keep everyone in check, from searching out the email history of every employee—which is also a normal practice in other corporations and government agencies—to seeding fake images to catch potential leaks and diffuse the hype about some product introductions.
As Tom was describing all this, my mind was getting back to all I’ve read about Steve Jobs and Apple, back when he was El Capitán of the brave group of free pirates who created the Macintosh. The Mac was a secret project too, but there was no secret police making sure there were no leaks. After a hard day of work, all the Mac team sometimes played on the beaches of California, careless and happy, confident that this new revolutionary computer would change the world, one desktop at a time. All of them shared information, there were no seeeecrets, and that’s why they came up with an “insanely great” computer, as Steve Jobs himself used to refer to it.
And while I understand that secrecy is paramount to success in today’s extremely competitive market—hello, dear marketdrones—now I look at this story on the Worldwide Loyalty Team, and it makes me realize how much Apple has changed. From a happy hippie company, to a company that does KGB-style lockdowns and Gestapo interrogations that end in suicides.
I wonder if the special forces have ever chased anyone through the Infinite Loop campus, dressed in their full regalia:
Young American woman travels over to Jerusalem to meet some friends, see the sights, live the life. Overzealous border security officers ask her a bunch of questions, take issue with her answers, and a few well-placed bullets later she is allowed entry into the country with a somewhat altered MacBook in tow. So what can we all learn from this incident? Firstly, back up all the data you consider important; B, Israeli policemen don’t mess about; and 3, distressed laptops look gorgeous no matter how they got there — just look at the way the glass trackpad has wrinkled up from the force of the bullet penetrating near it, it’s a borderline work of art. The young lady in question has been promised compensation, but lest you think this is a one one-off you can see pictures of an equally dead Dell at the Flickr link below. We’ve got a couple more close-ups of the ravaged MacBook after the break.
[Thanks, Itai N.]
P.S. – As always, we encourage a discussion. A sensitive, intellectual, worldly discussion. If you can’t infer what it is we’re asking of our dear readers tempted to intone on this matter, then please skip commenting on this thread, mkay?
Privacy advocates and career criminals alike are in a lather over reports that between September 2008 and October 2009, Sprint Nextel ponied up customer location data to various law enforcement agencies more than 8 million times. Speaking at ISS World 2009 (a conference for law enforcement and telecom industry-types responsible for “lawful interception, electronic investigations and network Intelligence gathering”), Sprint Nextel’s very own Paul Taylor, Manager of Electronic Surveillance, lamented on the sheer volume of requests the company’s received in the past year for precise GPS data for Sprint customers. How did the company meet such high demand? Apparently, his team built a special “web interface” which “has just really caught on fire with law enforcement.” We’re glad that Sprint’s plans to streamline the customer service experience don’t stop short of those who serve and protect, but as the EFF points out, plenty of nagging questions remain, including: How many individual customers have been affected? Is Sprint demanding search warrants? How secure is this web interface? Check out an excerpt from Taylor’s speech after the break.
This is site is run by Sascha Endlicher, M.A., during ungodly late night hours. Wanna know more about him? Connect via Social Media by jumping to about.me/sascha.endlicher.