Category Archives: Security and Privacy

Using multiple avatars and your right to privacy

Posted on by

Over the years we have taught many people to use the Internet and they have gone from nothing to active users. We mainly focus on the older person and they have some very specific usability issues and use cases such as planning and booking flights, booking tickets, booking hotels, buying books/eBooks, movies or music and using VOIP-like systems as well as traditional email.

We’re very proud of getting some people who have never had an email address and who relied on a lot of walking or phoning about to have them being able to plan, book and pay for trips to see their friends; all online from their home. It’s a really nice feeling to get things like videochat going so they can talk and see their grandchildren on the other side of the world or to take and upload photos rather than developing and posting hard copy prints.

Naturally they are fearful of phishing and identify theft and they have a reason to be as they actually have money that could be stolen.

Children have different concerns: Now we don’t have much demand to teach children as that is the other way around – they are taught at school and have no problems with being online, they don’t have much money or credit cards but do have a risk of identity discovery and potential abuse that could follow from that with cyberbullying or people socially engineering them to revealing parent’s details (like parent credit card details).

Our approach is to teach people, old and young, to maintain multiple online identities. We say that they are in control here of their data and not the other system. Make it like a game so the created names are something like an amalgam of characters they like. They also have their real identity that parts are only known to friends they meet in real life and obviously real data needs to be given to companies for credit card purchases or plane tickets but for every other system then use one or more avatars: the decent of a human to the Internet.

This works well with children as they love character acting and especially as every modern electronic gadget wants Internet access. Our own children’s Playstation3 for instance has nothing on it that could ever be of any use to someone socially engineering our children online. Everything from names, dates of birth, address or ZIP/Postcodes, email addresses can and is made up. So who cares ?

Well the government and the online companies seem to care. Their approach is that children need parents permission and they imply that the private data that the person should provide is accurate and that they will keep it safe. Companies want data they can sell that points back to real people and the Government just wants to do whatever governments want to do.

No, sorry, a better approach is for the person, the parent and the child to collude and give out nonsense data that allows them to use a service but the data is of little relevance as data outside of that service. The loss of data by the company becomes irrelevant as the theft has no relationship to the person’s actual physical identity or real person. By getting into a mindset that nothing online is what it seems then you instil the idea of do not trust anything unless you can verify your trust.

 

Using DNS TXT records to effect EU/UK cookie law

Posted on by

It struck me that the most logical way of expressing what policy you have for a web site for the use of cookies or personal data is to detail this policy within the DNS records that a person (or their device) must look up BEFORE they hit your site. A bit like how SPF records detail email delivery policy for your systems and recipients can use this (or ignore it) when they look at emails that are claimed to be from your domains.

The suggestions of using web page forms or pinch pages or similar requires both the site operator and the site user to do things for no logical and practical gain to either party.

So how would this work ? Well you would add a TXT record that has an expiry and for each CNAME or A record or a default, it would list either a URI to a privacy policy which would include details on cookie use and/or a set of flags on cookie use the URL of the policy is a bit like the CRL within SSL)..

The user, before they visit the web site thus has the opportunity to examine the privacy and cookie use policy without actually visiting the web site.

Actually we know anonymous web site users won’t give two flying ducks about what cookies our web sites use given they probably already use anything from ad blocking software to browsers within virtual machines, but for some bizarre reason the UK Information Commissioner’s Office (ICO) has managed to gold-plate an equally bizarre EU cookie directive.  Yes the ICO is the same group that gets everyone who handles personal data from babysitters through to government departments to pay either Tier 1 of  £35 or Tier 2 of £500 (if you have 250 or more employees and £25.9 million revenues – yes logic isn’t their strong point) but the ICO doesn’t have an online payments system nor can it take credit/debit cards so you end up having to print out the forms you just filled in online and send those with your cheque or you can use a direct debit from your bank account only they can’t actually do direct debits if you had to pay a Tier 2 £500 fee. In sharp contrast the Companies House that is the regulator and registrar for companies does everything online and you can renew your annual company registration for the grand sum of £14 online as well.

Changing Joomla! MySQL user password without outages.

Posted on by

Changing your Joomla! MySQL database password without a loss of service is done as follows,

1) Open  the existing configuration.php file for Joomla! (found in your web site root) and print or save the details. This gives you a backup copy.

2) Use your cpanel (generally cpanel but there may be other hosting backends to access the MySQL database users) and add a new database user with a suitably strong password. Take care here and observe the cpanel error messages. Unless the password is strong enough it won’t save the values.

3) Assign this new MySQL database user to your existing Joomla database with all privileges.  Thus it is running in parallel with the existing MySQL database user.

4) Now edit the configuration.php file for Joomla! (found in your web site root) and change the two entries,

$db =
$password =

to these new MySQL database user values and then save that file back to the server. Joomla! will now be using this new database user.

5) Then you must verify this is true by going into the administration for Joomla and looking under Site -> Global Configuration ->Server and seeing that the database settings username is the new username.

6) If so then use cpanel to delete the old MySQL username or at  the very least change the password to something new.

Why do it this way – why not just change the MySQL database password ?  Because of timing, you cannot change the MySQL database password and the configuration.php file instantaneously. By adding a new database user that is waiting to be used and then changing Joomla configuration there is no loss of service and you can easily verify that it is working on the new setting by checking the Joomla administration screens.

A third party ideally should not know your MySQL passwords or be able to access your MySQL databases remotely but on shared hosting where there is just one MySQL engine running then any account on that machine can access your databases if they knew the database and username and password details.

Using write-locked SD cards when virus hunting on Windows PCs.

Posted on by

Sometimes you want to check a client Windows PC that is suspected of having a virus and you want to install software that the Windows machine doesn’t have installed e.g. ProcessExplorer or SiSoft Sandra or similar as part of your preliminary checks.

You should keep  the suspect Windows PC away from the Internet so you want a safe way to quickly copy software.  Obviously this is now USB keys but all cheap USB keys I know of don’t have a “write-protect” switch. If there is a virus you want to prevent it copying itself to your USB keys else you’ll make some mistake and could end up with a Windows virus moving around your Windows test systems.

The easiest way to get a cheap write-protected USB key is to use a low cost SD card like you would use in a camera and a SD-USB adapter. Most, if not all, SD cards have a write-protect switch and SD to USB adapters are cheap. Load all your software that you expect to use onto the SD card, set the write-protect switch to lock and then plug this into  the USB adapter and then you can safely plug that into the suspect machine and start your investigations.  As far as I know the write-protect logic is part of  the SD reader so few viruses would be able to override that without a good understanding of that device driver and truthfully if you’ve got something that ingenious then a high level process view of such a Windows PC will probably find nothing amiss.

 

UK Information Commissioner

Posted on by
Reply

The UK Information Commissioner’s Office is the independent regulatory authority whose role from our point of view is as the registrar for Data Protection and privacy in the UK. With the soft launch of Life Sign Press then we’ve moved from being a data processor to a data controller.

With the few queries that we have sent the ICO they have replied back with satisfactory answers. Their web site for registration is good (with one annoying flaw *see later on) but you really have to know exactly,

  • what data you plan to collect on the public,
  • how you plan to store and process this data,
  • what you plan to do with the data,
  • how you plan to secure the data and
  • how you plan to get rid of the data.

This is not decided on a whim and this is not a one-off project.

Both Security and Privacy are processes not projects. Expect to be paying for these for the rest of your business life and this cannot be avoided without significant penalties if you get caught.

Open Mutual has had years of experience with handling client data and use of crypto and we can help you with this process too.

* the one flaw is that you have to print the forms that they have created and then send them by post along with your cheque.