Tag: security

Introducing MKISIO

Roundabout a year ago yours truly sought out “substitute” for this blog. I desired the ability to “post” information to content consumers, much as is done with websites, except I wanted the content delivered direct. Use an email newsletter service. Voila! There are tons of those around. Easy!

That is a fact. There are plenty of email newsletter service providers already in business. Some are free, and others even allow you to charge for your newsletter. I was looking for both options, but I also wanted the ability to encrypt newsletters with OpenPGP and provide subscribers with a way to read the stuff without having a degree from MIT (i.e. install crazy complex software); I thought it would also be nice to have some protection for both myself and potential subscribers in case of a security breach. As the latter goes, nothing but NOTHING is un-hackable, so why not make the stored data completely useless to miscreants?

I simply could not get this combination of features from anything in the wild, so I built it myself (with a little help of course). It is called MKISIO.

After covering the basic requirements some additional fun stuff was added, including …

  • Optional invitation functionality – so a publisher can ensure only known peeps are subscribing to their newsletter
  • Shortlink and QR code quick subscribe widgets – for plastering on legacy blogs and social media profiles
  • Subscription clearinghouse – as new publications are started, anyone with an account can find them and subscribe (assuming they are not invitation-only)
  • A couple of aces and kings up a sleeve, guaranteeing consistent performance in Hold ‘Em

As to the why this concoction was dreamed up in the first place, well the folks over at ReclaimTheWeb have the skinny on that. It wasn’t about creating a solution for raw censorship or economic hardball a.k.a. de-platforming though; I just wanted something that could afford more privacy and security, thereby making free speech the default. Sure, if someone wants to share confidential information via a MKISIO newsletter, they most certainly can use the encryption functionality. That was part of my original wish list, if only because nobody was doing it. Call it a personal challenge, successfully tackled. But the system is also good for sharing treasured fruitcake recipes, keeping extended family up-to-date on the kiddos report cards, or castigating members of the condo association … without fear of “repercussions”.

Meanwhile, I will be writing what otherwise would get posted here, over there. You can subscribe to my newsletters by clicking this link. Alternatively, feel free to point your phone camera at the nifty QR code to the left (that is if you are not already reading this post on it).

End Note: If you’ve read all of the above technical jargon slash carefully crafted PR and are still wondering where the name came from because you thought “MKIS” stood for Marketing Information Systems (you are correct), just read this (warning: it’s silly, but almost the truth). Finally, don’t forget that the beast is still work-in-progress, so if you decide to play and find a problem please feel free to let me know.

MG signing off (to blog via email for a while)

A month without Adobe Flash

Tired of distractions zipping around on the screen, as well as the persistent zero-day security warnings (and related “emergency” updates), I removed Adobe Flash from my laptop one month ago today.

What have I missed?

An auto-playing video of some news media talking head?

An auto-playing video of some news media talking head?

Nope. They are the main reason the volume was always muted.

The random sidebar ad somebody paid for?

The random sidebar ad somebody paid for?

Pretty much ignored those regardless.


Von Beardly theatrics?

I would have missed that. But I don’t have to (at least not with Safari).

MG signing off (sans Flash, and without the remotest inclination to reinstall it either)

Apple’s services security goof

Apple‘s OS X operating system is, in this user’s opinion, a bastion of security. It all boils down to its UNIX roots, and it’s that fact, not the famed usability, that won me over. Considering that, you’d think Apple could apply some similar know-how to the fortitude of their services, but alas my iTunes account has been disabled. The situation could have been easily avoided too.

I’ve been receiving these notices intermittently for some time…

Apple security

(more…)

(Re)introducing Brian Krebs

I’ve been following the Washington Post’s Security Fix blog since the Spamroll days. Its author, Brian Krebs, was one of the most insightful internet security journalists around. He still is, only he isn’t working for WaPo anymore. Brian’s now doing his own thing, at Krebs on Security.

December 29th was the (re)start date, meaning you can still get caught up. And with internet privacy and security perpetually at the forefront of issues net-denizens face (even if they don’t know it until their identity is stolen), I suggest you do. Get caught up that is.

Krebs on Security…stuff the RSS feed in your reader before it’s too late.

MG signing off (to stay secure)

Practice diligence to avoid fear of the web

Eduardo Porter of the New York Times:

A few months ago, I nervously created my first Facebook page with the minimum necessary information to view pictures posted by old friends.

I returned to the page a few days later to discover that somehow it had found out both the name of my college and my graduation class, displaying them under my name. I have not returned since. In the back of my mind, I fear a 28-year-old hacker and a couple of Russians have gathered two more facts about me that I would rather they didn’t have. And it’s way too late to take my life offline.

There is no doubt that Facebook knows a lot about you. Me too, and I’ve only been on it a few weeks.

I’ve spent my time configuring my profile with an eye to keep my friends protected – plenty of lists with different access rights, for business and pleasure, and I’ve taken to ignoring most apps (with particular emphasis on polls and the like). While it is but simple diligence, I’m pretty sure it will do the trick just fine for “marketing threats.” But only time will tell. If you are still running around the web like a chicken with its head cut off, you might also want to bookmark this free educational resource from Verisign on how to stay safe on the web. There’s a hefty section on social networks within.

As for Facebook itself having all that data at its disposal, well that is the price you pay. But you never know when someone might cook up a solution for that too.

Stuff YOU might have missed if YOU have been fly fishing too much – 07/13/09

Technology

  • RSA’s Coviello: Cloud Computing Not Secure Enough [PC World] – Web 2.0 and widgets led to the cloud computing craze, so it’s no wonder security wasn’t part of the deal. Nonetheless, while RSA has a clear vested interest in pitching more secure web apps, I’m in complete agreement with Mr. Coviello. Only I don’t think RSA will be the sole innovator in the space.
  • Are You Helping Facebook Outrank You For Your Brand Name? [search engine land] – Get lots of attention over at a site you don’t control, and lose control of your brand in the process.
  • How to Ease Your Transition to Google Voice [LifeHacker] – The dial once, ring everywhere service formerly known as Grand Central is getting aggressive with invitations (even I got one), but I think Google really needs to add the ability to port numbers before it really takes off. PS: I heard Google is using the voicemail service to perfect it’s own text-to-speech services. Is that true?
  • Flickr adds direct-to-Twitter publishing [VentureBeat] – Now playing on Flickr, a way to automatically tweet your photos as you post them. This geek couldn’t figure out if the service would tweet all your photos or whether it could be done on a selective basis, but he couldn’t figure out how to link his Twitter account with his Flickr account either. Then he bailed on the idea altogether.
  • Finance

  • What’s North Dakota’s Secret? [Forbes] – North Dakota had twice the growth of the any other state in 2008, except Wyoming, which it still handily trounced. It presently has the lowest unemployment in the nation, and the 20th ranked GDP per capita. And a budget surplus. Huh?
  • U.S. Home Prices to Fall Through 2011’s First Quarter [Bloomberg] – Unemployment becomes the next leg in the foreclosure boom, and more than half of the major cities in the US are expected to see falling prices for the next two years.
  • The Rental Market Stinks Too [The Atlantic] – While some thought rising foreclosures would lead to rising rental prices as former homeowners mortgagees bailed, the opposite has happened in many places.
  • Mean Street: California IOUs and the Great American IOU Market [WSJ Deal Journal] – Banks won’t take them, and recipients have to eat. The SEC is coming to the rescue, declaring California’s funny money a municipal security and hoping a regulated market will arise for their trade. I wonder if anyone will be allowed to short them.
  • Fly Fishing

    Give yourself a break, will ya’?

    Adieu.

    Running a secure web server on your Leopard-powered Mac

    This is not something most of you would want to do, but I’m in the midst of a project that requires SSL for testing purposes. My MacBook Pro serves as a primary communications center, research tool, and as the access interface to the blog blather you’re reading right now. Plus, it’s one hell of a development platform too. SSL is a big part of building secure web services, so I’m putting this forth just in case.

    Quick note: this is a fairly detailed process, so take a firm hold of the wheel and be prepared for a lengthy ride. You are going to need your terminal and su access. You will be generating encryption keys and certificates, and editing Apache conf files, after the jump.

    (more…)

    Who’s got the spam: MySpace or Facebook?

    And what about the app providers themselves

    Kristen Nicole asked: “When Did Facebook Get More Spammy than MySpace?” It’s all the buzz since the BBC reported that a widget third-party application can be used to gather personal data on its users – Facebook security.

    Why there is an expectation that social network abuse wouldn’t grow inline with network expansion itself I cannot answer. Maybe it’s the morass of privacy settings available to the user – kind of like a security blanket even if you don’t have the time or the inclination to work through them all. Could it be the consistent public relations byline coming out of the organizations themselves? Or maybe it’s the constant buzz from the blogosphere and media. Personally, I expected the spam.

    Nonetheless, I’m first to point fingers at the buzz. Quick and dirty searches for the two kings, associated with the word “spam,” produced the following results:

    Not really much of a winner here. While even my own search results show Facebook in the lead, 10 hits to 2 hits, those figures are statistically insignificant. As is, I believe, the concept of spammers doing measurable damage inside the networks.

    What I’d be more concerned about is this…

    Facebook (and I’m sure MySpace) has the resources to put the kibosh on these issues (and Facebook is already claiming they pay careful attention to potential problems, although some of effort is aligned with natural attrition). But what about the application providers themselves?

    The prevalent business model for the apps seems to be new media targeted marketing (i.e. internet advertising) – the apps/providers are collecting data…right? How good is their security? And how long before malcreants start mugging them instead of chasing their tails inside the fortresses?

    Why Bruce Schneier Having An Open Wi-Fi Network Is No Good Reason For You To

    Bruce Schneier, cryptography king, keeps his home network open. And despite what Tim Lee wrote in support of the idea, please don’t listen.

    The justification is that the risk of someone using your network for illegal means is very low, while the risk of you getting hacked at the local coffee shop is potentially higher. Hence, worry about your machine, not your home connection.

    I say BLAH! This piss poor argument ignores two significant points:

    1) There is little or no benefit to you from opening your network; and

    2) It takes minimal effort to secure your network with a password.

    The risks may be low, but meanwhile you have nothing to gain. Meanwhile, the effort necessary to provide that little extra layer of protection likely outweighs the cost of that single long tail incident – one that could potential cause you tons of legal hassles.

    If you are hell bent on providing web access to home visitors, I’ll take for granted that you trust them. Give them the key, like I do. Or if you’re wearing a tinfoil hat as you hand them their coffee, ask them to allow you to type it in yourself.

    UPDATE: Being open can cause hassles (unless you don’t consider having your computer confiscated by less than technology savvy law enforcement officers a hassle).

    Black Hats on OpenID

    Just a couple of points on OpenID security – may be redundant to those who have already thought through this stuff.