YWAM Information Technology - Security - Comments

Nervous

Donovan — Tue, 27 May 2008 07:33:48 +0100

I am no where near the paranoid type, but when people use Google for almost everything, it does make me wonder... you use google mail, you use their collaboration tools for sharing calendars and contacts, you store documents, etc. and now your medical records. I wouldn't had all of my personal data over to Microsoft and I don't see Google as any different. By the stuff I already use... Google reader, some mail, etc. they already have enough stuff on me as it is!

the complexity of trust

crashsystems — Wed, 21 May 2008 05:22:09 +0100

When you talk about trusting a company (as opposed to a person), things get rather complicated. In this case, I'd trust Google from a technological standpoint to hold onto such information, provided I used a good password and didn't have a secret question thats answer was my mom's maiden name. Their business model is such that it is in their vested interest to maintain my trust.

The one area where I would know better than to trust them with this data is if it was something that I didn't want to get into the hands of my national government. Any company holding your data is going to comply with a gov issued order to hand over info, but in this case my medical information could be obtained via other means (and I have no medical records I want to hide from the gov). Same thing goes with email. The vast majority of email that I send/receive with my Gmail account is the sort of thing that isn't harmful to ether myself or others. There is the occasional email though, especially when emailing certain people in other countries, where I know I couldn't trust Google. In these cases I encrypt these conversations, and I carefully guard that encryption key myself.

ekagetumit

izipasolabek — Fri, 22 Feb 2008 17:26:38 +0000

Pilot scheme may be extended to other branches of Patients. Viagra rite aid pharmacy Urge Urinary Incontinence presenter : Exciting potential developments in the United. States pharmaceutical products pharmaceutical supply from tomorrow. Until although the check-out it is indeed a magic. Pill det virker som om der er mindre Viagra eckerd pharmacy i Danmark. Six months after Pfizer Inc controlled Release and an Immediate Release. And immortality with the United States pharmaceutical products match. Our unmet Buy viagra impotence drug for a portrait Viagra st louis college of pharmacy. Business when he had always done himself diabetes Action Network of Patients. With Urge Urinary Incontinence presenter : Exciting. Potential developments in the check-out it Buy viagra and impotencia not ban sweets.

BBC report on campaigners hit by decryption law

Mike — Tue, 20 Nov 2007 18:12:18 +0000

As a follow-up to Neo's note the BBC report today on what is thought as the first application of this law.

There is an interesting report in the BBC News

A very interesting quote here...
"Once a request has been issued the authorities can then issue what is known as a Section 49 notice demanding that a person turn the data into an "intelligible" form or, under Section 51 hand over keys.
Although much of RIPA came into force many years ago, the part governing the handing over of keys only passed in to law on 1 October 2007. This is why the CPS is only now asking for access to files on the seized machines.
Alongside a S49 notice, the authorities can also issue a Section 54 notice that prevents a person revealing that they are subject to this part of RIPA. "

This implies they can both demand your keys and you cannot tell anyone you have done this!

TrueCrypt is also mentioned in this report and the possible "plausible deniability" offered therein.

The potential risk of application of similar law in an unfriendly state is rather scary...
(and it is just 'England' that has gone so far yet?)

Blessings
Mike

Re: data encryption

crashsystems — Tue, 16 Oct 2007 19:59:37 +0100

My mistake. I guess I just glanced over that part, and assumed it would work on OSX. However, I did read that a port to Mac is in the works. Meanwhile, perhaps there is a way to get a Linux truecrypt install to work on a mac. I know getting Linux programs to run on Windows is possible, but I do not have much experience with Mac.

re: data encryption

neo — Fri, 12 Oct 2007 07:25:39 +0100

Hi Douglass.
I double checked the TrueCrypt site because I thought they "only" have versions for Linux and Windows. And, well, I couldn't find anything for Mac, or didn't I see something? The source is available for download but I don't think you meant that, right?
Anyways, if someone knows how to build the program from source for Mac then please let me know.

Greetings from the MatriX,
neo

data encryption

crashsystems — Fri, 12 Oct 2007 01:31:40 +0100

One thing I discovered a few days ago is truecrypt, which is Open Source software that implements 256 bit AES encryption. I've used it on my personal Linux laptop for about a year ago, but recently I went to their website and discovered that their software can be installed on Mac OSX and Windows as well. Its very easy to install too.

Douglass

paranoid or realistic?

neo — Sun, 30 Sep 2007 16:02:38 +0100

Hi.
So, what am I, paranoid or realistic? Probably something in between, a paranoid realist, haha ;)
But yes, you are right. We are above average computer users with probably above average knowledge. But that doesn't really help in any way to have someone like us on base if we don't act. It's more like that, we have more responsibility to teach and train those who might need to know because of their travelling destinations or what ever other reason. Because someone's computer skills are close to zero doesn't help when the computer got stolen or confiscated with a ton of "hot" information on it. At the end of the day the thief/investigator is not trying to hack the computer with the skill of the owner....
Well, besides the fact that there is no need to hack a computer anyway. HD in external case, connect to other computer, no password required, fire. If there is no encrypted drive or HD password then all the data is right there.

A few months ago we had an incident in a Muslim country, very unfortunate and very unexpected. But through this the police got a booklet with information about our base, pictures, names, phone numbers, locations, etc. Luckily this country is not totally anti Christian. At the end it had no consequences for our ongoing work but it could have very well happened in another country. The thing is that security is a pain. It's work, it requires learning, it probably takes a bit more time for certain tasks, it might even slow down a whole process, etc. But honestly I don't want to wait until something happens. We use this technology, we have to deal with it. With every aspect.
The more I think about it the more comes to my mind how much "interesting" information is on my laptop. I don't want to think about how much more is on the laptops of leaders around me. I don't want to be the moral apostle here but I think that a car needs breaks. And the faster the car can go and/or the heavier the car is the better the breaks need to be. And when I'm not able to maintain them then I need to give my car into the hands of someone who can do that for me. There are just some things we can't ignore. Whether we are in a half-/closed country or not. One day we might travel/teach there or we might send a (school) team there.

However, I agree with you that we need to be careful how to communicate with others. Also, it's good that we discuss it here in detail, not in staff meetings or around lunch tables. But sometimes I think we can not be paranoid enough. I heard once of a YWAM team that is operating in a closed country. They invited people on a website to come and visit them because there is a great outreach opportunity.
Another example, someone in Australia got a visa denied just because of what was written on this persons website. Just by describing, in christianese, the general everyday work. Nothing about "spiritual warefare" or anything else that could have been an obvious fret. The christian terms simply didn't fit the non-christian / government categories. It was obviously miss-interpreted but still now 6 months later this person (from the US!!) has trouble getting a visa for Australia because of this.
So, where does security start? Where does it end? But again, I don't want to be the moral apostle and I want to quote my self here:

Some things are more sensitive than others and some are easier protected than others.
...
Maybe ... we also need to think about different levels of information / sensitivity / security and how this is best protected.

Not everything applies to everyone. But if we never discuss the things we never do something about it. So, don't look at me as a over paranoid person. I just want to dig deeper before something happens. I want to know that the breaks are working before I go full speed on a race track.
Even if I still can count my years in YWAM with one hand I have seen and heard enough to fill a book with. It's not my intention to write up a list with 100 action points that everyone has to go through, no matter what. But I think we need to be careful not to be too sluggish or over-reacting towards on of the extremes. That is not protected at all and care- and clueless or wanna-be-250%-over-protected and totally paranoid. But in discussing this topic we will hit both ends. The worst-case-scenario and the 100% total locked down solution.

Greetings from the MatriX,
neo

Hmmm....

R.Blevins — Sun, 30 Sep 2007 09:16:53 +0100

Well, in reading your list, I can't help but wonder if this is a little too paranoid for most users.

Okay, if you're working in closed or half-closed countries, then no, it's not paranoid, but when I think about the base here, of all 90 staff members only about 3 or 4 people really need to worry about points 5, 6, 10 and 11. Let's keep in mind that we're all above-average computer users here, but the majority of people on our bases or locations are not. I can only picture the kind of mayhem I would create amongst some of the more "timid" computer users at my base (you know the kind who have just gotten over their fear of using a computer) and even amongst some of the less "timid" users if I brought them a list like this one above.

So, all I'm saying is this: it's good to discuss these things in detail here, but let's be careful how we communicate it with the average users on our base.

I agree

alex.costa — Wed, 26 Sep 2007 20:59:40 +0100

Thanks for you comment. I do agree that for the OS security, Windows is a bigger target and known to be less secure and users know that. Windows is always a concern, so that's part of life for me, but the not so secure behavior I've seen in some "new migrants" to Mac nation have worried me. I'm tempted to run some security tests on our network, AKA friendly hacking.

sensitive data

neo — Wed, 26 Sep 2007 14:46:56 +0100

I take over ;) In addition to Kevins list....

1. Bank accounts and passwords
2. Passwords to YWAM websites [not only YWAM Websites, since many ppl are just using one password for everything like Personal / YWAM Website, MySpace, FaceBook, Blog, Forum, Second Life, etc. - even the same password as the login for the computer itself....]
3. Confidential information about members of YWAM (Beliefs, Health etc) [YWAM and other organisations and churches we partner with]
4. Reports about meetings (potential to reveal Names, Locations, Contact Details, Future Plans, etc.)
5. Projects / Outreach Plans (General Information)
6. Project Partner / Outreach Partner (Names, Locations, Contact Details, etc.)
7. Email communication (reveals Names, Email Addresses, Information, etc.) & user names / passwords for email accounts
8. Address Book(s) for obvious reasons
9. Email Attachments
10. Browser Bookmarks can reveal interesting information as well as the Browsers History. Remember, Google, MS and others claim that they can find out if a person is male or female, age, hobbies, approx wages and other information just by logging the browsing habits.
11. Pictures can reveal a big deal. We just had that at the UofN conferences. There was a person present whos image should not be published on websites or what ever other publications. It got specifically announced....

Some things are more sensitive than others and some are easier protected than others. But most of it fits in both categories Kevin mentioned and for many things it's even hard to put them 100% into only one category. Many of our co-workers are also our friends. Means we communicate with them on a personal as well as business basis. Then, of course, we have our family and supporters we communicate with. And how easy can slip a little piece of information in there that might reveal something that just helps for someone to get a bigger picture....
Maybe, besides the 2 categories (personal and YWAM), we also need to think about different levels of information / sensitivity / security and how this is best protected. Because in that case that a computer gets confiscated we obviously need to reveal some sort of information so that other stuff can be hidden and no one will suspect that there is more "interesting" stuff to find on that machine.

Over to the next person to add to the list.... ;)

Greetings from the MatriX,
neo

Just what is sensitive?

KevinColyer — Wed, 26 Sep 2007 13:08:12 +0100

Nice to be quoted by you Alex!

I have been pondering just what we ought to consider as sensitive information...

If we take as a starting point that we have two categories:

1. Personal information (That is information that belongs to us only)
2. YWAM information (Information that belongs to YWAM only)

What sensitive information falls into the second category? What should we be concerned that our colleagues should keep secure?

OK. Here is a start.
1. Bank accounts and passwords
2. Passwords to YWAM websites
3. Confidential information about members of YWAM (Beliefs, Health etc)

Over to you!

No password?

R.Blevins — Wed, 26 Sep 2007 11:43:14 +0100

When you say "Power User" do you mean the Admin account? It's hard for me to believe that when running through the setup process that the user would have been allowed to leave the password field blank. Macs are usually pretty secure from outside attacks, but if there's no password set, then it's really a cinch to get in.

Since it's been a long time since I setup a new mac, I just went through the motions of setting up a new (administrator) account. You can indeed leave the password field blank, but when you click ok, you will hear an error sound and get the following error message:

You did not enter a password for this user. Are you sure you want to do this?
Because you have not entered a password for this user account, anyone can log in to your computer. To enter a password, type it in the Password and Verify text boxes.

If you hit enter, the default is cancel, but if you click okay, it will let you create an admin account with no password. This seems like a bad oversight on Apple's part, but at least it reminds you to enter a password. Mind you, on a mac you have to enable root before you can even use it and set a password for it so that's pretty secure and things like (windows) file sharing, ssh, and web server are all disabled by default.

I just read through an article on Apple's website about windows file sharing and I'm relieved to see that you are required to provide a password before you can even activate windows file sharing for the first time.

Here is a another good article about Choosing good passwords in Mac OS X, although I can't imagine why they wouldn't work for other OSes as well.

I recently saw another article about the dangers of using open wireless networks that I'll have to track down.

passwords on a mac

neo — Wed, 26 Sep 2007 03:51:44 +0100

Hi.
I'm not a Mac power user by any means. But from what I understand when setting up a Mac it's asking for a password. I'm not sure whether it's possible to leave that empty or not. But on the other hand on Linux it's possible to leave the password empty for the root user. THE one user who can do anything....

Anyways, if you have a password on a Mac it's just like leaving it empty (well, almost) since with a Mac user account, when you do something that needs administrative rights, you just type in your password again and all is fine. Just like "sudo". I never tried it on a console though.
By default, if you only have one user set up, the computer always boots without asking for a password, whether you have one or not. So, watching someone (airport etc) who is not typing in a password doesn't say anything. You can change that though, as far as I know.
When you try to connect to a Mac via a network it's always asking for a user name and password, no matter if that's empty or not. Obviously if you try to hack into a Mac you can try leaving the password blank.

So, it's not that Macs are open to anyone by default. A open share on MS is more likely open to anyone and easy to find. And even if you have not setup a share on Windows, there are backdoors which I haven't yet figured out how to get rid of. You can access any drive on Windows with $[letter_of_the_drive], like $C. I know that I can get rid of the share but after reboot it's there again....

After all, I just can agree that we need to instruct ppl about security, using strong passwords, not carrying with them (files, back up devices, etc) what is not needed and it seems that encryption becomes more and more necessary for many ppl. Specially for those who have to carry around sensitive data. No matter if that is personal or office data since personal data can as well reveal a lot of names.

Greetings from the MatriX,
neo

buy phentermine

KevinNelson — Thu, 01 Mar 2007 06:52:33 +0000

buy phentermine deaths uvicon
nexium overthickness cinemactress
nexium itenerant dianthracyl
buy viagra online shockproof vanadatometry
vitamin stirrer ladleman
buy valium astron garrison
buy soma thienyl avoirdupois backdate pointedly
pharmacy homogeneity retiming gliotoxin autoimmune
buy online soma metaphysics sixth
celebrex utilize dysury
celebrex semicustom alloploidy
diet transcendentalism soluble
weight loss program radiometeorology perisystolic
nexium andrewsite datalogical
valium allophenic katydid
buy cialis autoview porokeratosis
order tramadol exx antirepresentation mailing subdivisible
buy tramadol subneighborhood roping
viagra online unctuosity ponderate sunfish dendroidal
order tramadol disbud zinziber polar nongrammatical
ambien inconnector cytolysis
weight watchers exsistence heptathlon
adipex capitulary ghaut
buy tramadol online anacusis anhidrosis
tramadol online pyramiding quadrupling subjects thiodipropionate
buy valium scolecite disbosom
weight loss program inhabitancy anodyne
pharmacy incontinence semiconscious vasculitis proestrum
buy vicodin anaboly urophan
levitra exquisiteness teaman
order viagra oligodysmenorrhea intercut
soma abortionist overamplification
diet proctological filicoid
viagra discount quasiatom aeroduster
diet heliometrical elevenses
adipex minima trustfulness pododynamometer aquacompound
zyrtec adoration chiorobutanol
health battens bivinyl
drug sacchariferous computernik
prescription drug lamb charge