Security

OK, so you've decided that it's just too hard to do security right: to have strong passwords for important sites, to use 2-step authentication, etc. Well, here's one story of what happened during and after a Gmail account was hacked:

As email, documents, and almost every aspect of our professional and personal lives moves onto the “cloud”—remote servers we rely on to store, guard, and make available all of our data whenever and from wherever we want them, all the time and into eternity—a brush with disaster reminds the author and his wife just how vulnerable those data can be. A trip to the inner fortress of Gmail, where Google developers recovered six years’ worth of hacked and deleted e‑mail, provides specific advice on protecting and backing up data now—and gives a picture both consoling and unsettling of the vulnerabilities we can all expect to face in the future.

Most border crossings are uneventful, but if you have sensitive data on your electronic devices, you may be in for some surprises if you assume the data is private:

For now, a border agent has the legal authority to search your electronic devices at the border even if she has no reason to think that you’ve done anything wrong.

The EFF has a great guide for maintaining your privacy:

Different people will choose different kinds of precautions to protect their data at the border based on their experience, perception of risk, and other factors. There is no particular approach we can recommend for all travelers.

They go on to explain the options and make recommendations for many common scenarios.

Sometimes it's important to push your fears aside and experience the world. Scott Adams spent the last year doing just that:

As 2011 approached, I wondered what would happen if, for the next 12 months, I said yes to any opportunity that was new or dangerous or embarrassing or unwise. I decided to find out.

Apparently, bad security has led to the naughty list being leaked on the internet:

Here's another commentary on the uselessness of most of the security programs in place in airports:

To a large number of security analysts, this expenditure makes no sense. The vast cost is not worth the infinitesimal benefit. Not only has the actual threat from terror been exaggerated, they say, but the great bulk of the post-9/11 measures to contain it are little more than what Schneier mocks as “security theater”: actions that accomplish nothing but are designed to make the government look like it is on the job. In fact, the continuing expenditure on security may actually have made the United States less safe.

Do you say 'yes' to opportunities in your life?

So here's on of my pet peeves: we want to think we're rational, then we go do stupid stuff like this (click image for full-size):

How rational is it to spend 25 times as much on something that is almost 2000 times less likely to occur? Answer: it isn't.

And if you are tempted to say something like "Yeah, but we got Bin Laden, the war is working!", well, then, I suggest you read The Starfish and the Spider. In any case, even if we did stop terrorism (which we didn't), we've got much bigger daily threats to our lives that we're ignoring. This graph hopefully puts one of them in perspective.

I love my HTC Thunderbolt. But I'm pretty upset to find this today:

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

In a nutshell, this means that basically every app on my phone can get access to everything I do, every person I call, every website I visit, every text I send, and more. And since apps with this permission can access the internet (that's the permission they requested that gave them all these privileges), they can send any of that information to a remote server.

More findings:

But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

• active notifications in the notification bar, including notification text
• build number, bootloader version, radio version, kernel version
• network info, including IP addresses
• full memory info
• CPU info
• file system info and free space on each partition
• running processes
• current snapshot/stacktrace of not only every running process but every running thread
• list of installed apps, including permissions used, user ids, versions, and more
• system properties/variables
• currently active broadcast listeners and history of past broadcasts received
• currently active content providers
• battery info and status, including charging/wake lock history
• and more

The fix appears to be the removal of a particular application:

Patching the vulnerability is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).

If you don't know how to do that, well, find someone who does.

Class-action, anyone?

I'm a risk-taker. According to life insurance companies, I exhibit a "habitual pattern of high-risk behavior". I love the personal growth that comes from confronting my fears, the exhilaration of pushing my boundaries, and the magic of experiencing life at the edge.

Which is why it seriously bothers me that people are trying to make the world "safe" by their standards. Somewhere in the last 50-75 years, society decided that taking risks was not acceptable, that people like me should not be allowed to explore the world on our terms.

It started with little things: you must wear a seatbelt, or a bicycle helmet, or a reflective vest. Each is a good idea, to be sure. But there is a difference between doing something because it's a good idea and doing something because you have no choice. In the former case, you make a responsible decision for yourself or choose to accept the consequence to your person; in the latter, you make a social decision or face penalization by others, others whose values you may not share. You might be making the same decision either way, but not for the same reasons... and most certainly not for the right reasons.

The scope of safety regulation slowly grew: over the years the set of rules has grown to encompass most aspects of daily life.

The problem is not that safety should be encouraged, it's that safety should not be mandated.

We learn to follow rules which are created by others based on judgments and experiences foreign to us. But very few ever learn to make those same judgments themselves. We do what we're told and are criticized for trying to actually understand (or even worse, question) the rules: we are told to follow.

Do you know why the speed limit was initially set to 55? I'll give you a big hint: it wasn't for safety reasons. But it got spun that way over the years (another big hint: "55 saves lives" was a misrepresentation of an entirely unrelated phenomenon...). Instead of understanding why the rules exist, we just obey them, more or less.

But we don't learn anything that way. Well, we learn how to avoid a ticket. What we don't learn is how to analyze a situation and make reasonable decisions based on our values and goals. That requires experience, and experience requires taking risks. And risk must not be allowed.

And so we get ourselves into big trouble. And our experience tells us there will always be someone to rescue us, no matter how far beyond our limits we go. Something has been lost as a result:

Adventurers of my generation, who started exploring in the 1960s, used the phrase “out there” as a term of highest praise. “Man, Bonatti was really out there on the Dru.” The two words capture it all — out there, near the limits of what is humanly possible, out there where nobody can save you.

Nowadays very few adventurers are truly out there as Mr. Bonatti was. I would argue that it’s their psychic and experiential loss.

In being told how to live safely, in being expected to follow rules without understanding, in expecting that we will be rescued if we get in over our heads, we lose both the ability to think critically about our actions and the opportunity to see how much we really are capable of.

Because another thing happens when we don't take real risks with real consequences: we fail to realize our true potential. Without failure, we stop learning. If we believe we must avoid risk, we never fail, so we never grow.

Living, really living, requires taking chances. It requires learning by making mistakes. It requires taking risks. It requires doing things that could lead to physical, emotional, mental, or spiritual pain.

If we teach ourselves that risk can be avoided, we stop growing, and we start dying.

I, for one, don't like the trend.

When a company gets hacked online, it almost always makes the news in a way that makes it sound far worse than it actually was. This makes the point well: