Hiding in Glass Houses

You’re building glass houses on the sand
Then you stand around and shake your head
When they all fall down
From Glass Houses by Steel Magnolias

So the big tech and style news this month, in case you missed it, was Apple’s hyperbole laden and new(ish) iPhone 4s and iOS5. This baby boasts everything better, faster and smarter (Siri notwithstanding) than the old school iPhone 4. Including this swell new(ish) app called Find My Friends which is described in Slashgear thusly [emphasis mine].

The free app, which uses GPS to locate your friends and family and, if the privacy settings mash correctly, display them on a map in real-time, can be found here.

But as Aahz the Pervect was wont to say “Therein lies the story”. That deal about privacy settings should be a clue [hint – turn them all off]. There’s even an interesting thread on MacRumors making it’s way around the blogosphere with a tale to make divorce lawyers weep. In agony or ecstasy depending on which side they represent.

I got my wife a new 4s and loaded up find my friends without her knowing. She  told me she was at her friends house in the east village. I’ve had suspicions  about her meeting this guy who live uptown. Lo and behold, Find my Friends has  her right there.

Regardless of the veracity of the post, I posit the following question: Who really thinks it’s a good idea to have everyone know exactly (within 10 meters) where you are at all times? I can think of a number of folks, in addition to suspicious spouses, who love this idea including:

  1. Law Enforcement – rounding up the usual suspects has never been easier
  2. Burglars who prefer victims to be elsewhere than the location being burgled – saves all that unpleasantness associated with being surprised by irate property owners.
  3. Employers who want to verify that employees are actually working from home – or really at the dentist instead of interviewing for another job.

Now certainly there might be situations where this feature would have a non-nefarious or even beneficial usage, like say finding a missing child. I’m just doubtful that would work in a serious situation like say kidnapping. Unless the kidnapper was stupid enough to keep the phone,  like say users of Find My Friends.

You see, here’s the deal – owning a smart phone or other GPS-enabled mobile device is like hiding in a glass house. Unless you take extraordinary measures anyone can find you. At any time.  Problem is most users of the aforementioned devices have no idea how exposed they are by default – not to mention what happens when they use an app like Find My Friends.

About now you may be thinking, “Yeah, well maybe that’s true, but everybody knows that privacy has been dead since 1999 so deal with it”,  channeling Scott McNealy’s infamous comment. Or even “You shouldn’t be worried about privacy unless you have something to hide”.

And that, my friend, is what concerns me. When everyone accepts this truism and becomes willing to trade their privacy – and ultimately their liberty to disagree with whatever authority is currently watching – for slick but useless diversions there will be serious consequences.

We may not be able to do anything about our modern life in glass houses. But at least we can try to hide without constantly screaming our location.

Of screen doors and submarines – locking down your iPhone

It’s about as useless as
A screen door on a submarine
Faith without works baby
It just ain’t happenin’
From Screen Door by Rich Mullins

In a recent post, to the extent that any post here is recent, I wrote about the threat to personal privacy – yea even freedom posed by smart phones. Actually the threat was not so much from the smart phones themselves but the potential of exploitation of them by law enforcement contrary to your best interests. The obvious answer to this problem, as every portable computer using reader of this blog surely knows, is to fully encrypt the device. Locking that bad boy down tight will blow those law enforcement fishing expeditions out of the water. But alas, this is not a realistic option with most smart phones. There are several notable exceptions to this including the RIM Blackberry, mentioned in the earlier post,  which can be configured to be secure and some Linux-based smart phones such as the Nokia N900 described in this comment to that post by reader Gino.

There actually is a solution for full phone (filesystem) encryption: the Nokia N900, a Linux phone that supports Crypto LUKS. I know this for fact as I am typing this with one that has it :)

Albeit there is quite a bit of legwork needed and a fairly good bit of Linux knowledge required to set it up initially, it’s well worth the effort.

Unfortunately that excludes the many smart phone users, including myself, with iPhones. I did find some information in this article in Lifehacker entitled Common Sense Security for Your iPhone about locking down iPhones. To the extent that they can actually be “locked down”. Here are the high points.

Lock Your Phone
The most basic security precaution you can take is to make sure that your iPhone is using a passcode lock—and that the passcode lock will automatically engage after a brief period of inactivity.
Choose a Hard-to-Guess Passcode
On newer versions of iOS, you’ll have an additional option in the Passcode Lock settings labeled “Simple Passcode”. By default, “Simple Passcode” is on—and it essentially means that your passcode will need to be a 4 digit number that you’ll type when unlocking the phone. You can, and should, turn this setting off and enter a passcode that is more difficult to guess than the simple 4 digit pin.
Limit the Maximum Number of Unlock Attempts
To prevent someone from trying to break in to your phone if it’s stolen, take advantage of the setting at the bottom of the “Passcode Lock” settings page, labeled “Erase Data”. By default, this is set to off. Turning it on tells the iPhone to completely wipe the content of the device if 10 failed attempts to unlock the iPhone are recorded.
Take Advantage of the Free “Find My iPhone” App and Remote Data Wipe
Apple provides a great service called “Find My iPhone” that is available for free to any iOS device owner using their Apple ID (the same email address and password you use to purchase apps in the App Store). Complete instructions for setting up Find My iPhone are available on Apple’s Web Site. By default, the free Find My iPhone is only for 2010+ devices, but anyone can enable and use Find My iPhone on the 3GS and other pre-2010 devices. Here’s how.

While these are certainly valuable steps to take towards basic iPhone privacy, the efficacy vis-a-vis keeping out determined and well equipped snoopers is akin to locking the screen door on a submarine. This article by the oft-quoted [in this blog] Sharon Nelson of {ride the lightning} for the American Bar Association’s Law Practice Magazine entitled Why Lawyers Shouldn’t Use The IPhone: A Security Nightmare explains thusly.

The words iPhone and security do not belong in the same sentence, although you would never know it from the Apple marketing blitz. Some of the advertised features of the iPhone 3GS are the inclusion of encryption and remote wipe functions. As most folks know, encryption is a killer for computer forensic examiners and a fine way to protect your data. So what does encryption do for the 3GS? Not a heck of a lot. From my foxhole, it appears that encryption was an afterthought and not inherent in the iPhone design.

Jonathan Zdziarski has demonstrated how easy it is to gain access to a supposedly secure iPhone 3GS. Should we believe him? I certainly do, especially since I own his book on iPhone forensics and have personally seen the mountains and mountains of electronic evidence that is stored on an iPhone. The key to gaining access to the data is to extract a disk image from the device. First off you “jailbreak” the phone by placing it into recovery mode and installing a custom RAM disk to the iPhone. Jonathan mentions that the tools are only available to law enforcement (nice thought, but not so), but also acknowledges that it is fairly simple to develop your own. Several products like Red Sn0w and Purple Ra1n are freely available to “jailbreak” the phone. You then install a Secure Shell (SSH) client to port the raw disk image onto your computer.

Those of us in the forensic community know that sucking a disk image from an encrypted drive to a destination drive just gets you another encrypted image which is no earthly good to you. What makes the iPhone 3GS any different? This is the part where Apple is so very, very helpful. Even though the data on the iPhone disk is stored in an encrypted form, the iPhone actually decrypts the data as it feeds the zeros and ones through the SSH connection.

In order to secure your iPhone, make sure you configure an unlock code. Then again, perhaps you shouldn’t waste your time. Jonathan has another demo where he replaces the passcode file with one that contains a blank password, effectively removing the unlock code. How is this possible? Just like the previous explanation, putting the iPhone into recovery mode doesn’t require the passcode PIN.

Apple says losing your phone is not a problem, you just use the remote wipe feature to “kill” all of the personal data. There’s a problem with that too. The remote wipe feature requires that the iPhone be connected to the cellular network and removing the SIM card or placing the phone in a Faraday box would solve the network connection problem. Take the phone off the cellular network and you can take all day to retrieve the disk image (in an unencrypted form) from the iPhone.

Yep. Screen door on a submarine. In a follow up entry on {ride the lightning} Sharon finds even more reasons to declare “iPhone security” an oxymoron.

Most users are not aware that the iPhone conveniently creates a screenshot and saves it as a temporary file on the phone. Wired has an article that explains the how and why and is available at http://www.wired.com/gadgetlab/2008/09/hacker-says-sec/. The end result is that there is a very complete “audit trail” of activity that is done on an iPhone, even if the user doesn’t save any data. As an example, you can open a message that contains personally identifiable information and then immediately delete it. Guess what? All of that private data is on the phone until it is overwritten, which could be some time. As we mentioned in the article, the iPhone is an “evidence rich” device. These recoverable screenshots are one reason why and we’ve verified the existence of them through a ton of real world investigations. We’ve never seen this type of activity on any other phone.

Does all of this mean that the iPhone is the ONLY insecure cellular phone on the market? Obviously not, but it is at the top of our list, especially considering the hundreds of phones we get each year for evidence analysis. Any smartphone with a browser is subject to the same attacks and infection as any Internet user. We know many iPhone users are saying that security is the issue and is not unique to the iPhone. Perhaps the truth hurts. Security is a major issue for any law firm, but using a device that does not enforce PIN integrity is a little crazy in my book. I wouldn’t want to make that argument to a malpractice carrier.

Well so much for the delusions of privacy and security on the iPhone. I guess now we’re back to putting it in a bag in the trunk when we travel. At least in California. Or switching to Blackberry or N900 if we’re lawyers.

Great stuff that never happened

Bury your memories bury your friends,
Leave it alone for a year or two.
Till the stories go hazy and the legends come true,
Then do it again. Some Things never end.
From “Eleventh Earl of Mar” Genesis

John Brandon has an article in ComputerWorld, Famous tech myths that just won’t die. Wherein he attempts to lay to rest some of our most treasured tech myths. Submitted for your approval is a concise list of those myths. And my brief comments. Seriously you didn’t think you were going to get off that easy did you.

  • Bill Gates dropped a $1,000 bill and didn’t bother to pick it up – Can you imagine the guy who ruled the Microserfs dropping a $1 bill much less not picking it up?
  • The iPhone 3G has a kill switch that Apple can use to disable the device – Actually it does. It’s called AT&T here in America. No wait, that’s a killjoy switch. My bad.
  • Internet2 will replace the Internet – Now this is just silly. Everyone knows the internet will be replaced by the Cepheid Galactic Internet.
  • PC gaming is dying or already dead – Just keep telling yourself this while you’re getting fragged online by newbs with an unfair advantage (a PC), X-box boy.
  • Apple is working on a MacTablet – What, the Newton wasn’t good enough?
  • Forwarding an e-mail has rewards of some kind – Only if you forward it from someone else’s account and can watch the comedic aftermath. And not get caught.
  • Al Gore said he invented the Internet – Well maybe not, but Ted Stevens discovered that the internet is “not a truck. It’s a series of tubes.” Which is a good thing since the truck couldn’t get to where it needs to go via another Stevens invention, the bridge to nowhere (actually that’s not completely true it could go to Gravina Island – population 50).

Come on John, the next thing you are going to tell me is that my long lost uncle really didn’t die in Nigeria and leave me millions. Just be that way.

Security ideas for your mom part 1

So here’s the scenario:

Your mom wants to get a PC so she can get email, check out those internets and use the google. She’s heard about all the nasty stuff out there like in those commercials with the little old lady speaking with the voice of a biker. So she knows it’s a dangerous world out there on the internets and knows she must get some of that security to protect her. Of course she calls you, since you use that stuff all the time at work. Oh … and she thinks those “I’m a Mac, I’m a PC” commercials are really cute and that a Mac would be great because it doesn’t get any of those nasty viruses.

Sound familiar? Thought so. So what do you tell her? How about, “Gee mom, sounds like what you really need is a good cell phone, not a computer” or “Sure, get a Mac and then you can be stylish while getting pwned“. Problem is, you like your mom and want to help her make the right choice. Other problem is that you also like your significant other and really don’t want to commit to a full-time tech support gig.

What you’ve just encountered is the fundamental problem in personal computer security. For years Bill and Steve have been telling us that a personal computer is an appliance, just like a television or a toaster. That certainly sells lots of PCs and Macs but the problem is that, well, it’s balderdash. Hogwash. Crapola. When you purchase your first computer you discover this right away. Ahh, but not to worry – Uncle Bill (actually Uncle Steve now) has you covered. They’ll automatically push out fixes (to stuff they built wrong!) to keep you safe and secure. Okay… But wait! There’s more! There are many companies out there just dying to help you be more safe and secure who can’t wait to get their hands on your money. So before you know it that spiffy new computer you bought runs like a bloated turtle and you get to pony up annual payments for that privilege. And are you really safe and secure? Maybe. Possibly. Who knows?

So let’s go back to the original question: what is security in this context? What are the risks that your mom will face online and how does she manage them? Can you really “buy security” (or lease it per current business models) to manage these risks? Hang on there, Hoss! You just listen to Uncle Joe before you turn over any of mom’s hard-won dinero. Here is the Joe’s official in order list of security ideas for your mom.

Security Ideas for Mom

  1. Think. Don’t be an idiot. The vast majority of cyber incidents that result in actual damage could have been prevented by a simple smell test. This covers a lot of territory, but basically it comes down to this – use common sense. Obvious stuff like, don’t open email attachments you weren’t expecting or can’t identify. Or if something pops up you don’t understand – find out what it is before you click on it. My friend, a computer novice, recently upgraded to get online. He had all of the stuff you are supposed to have including anti-virus software from a leading vendor (think yellow box). So he gets this browser pop-up while he’s surfing that says “Your computer is infected with a virus!!! Press this button to remove it and make your system safe!!!” So he does. And it does heinous things to his computer, including disabling his spiffy yellow AV. DOH! It’s time to put that PC out of it’s misery and start over. This ugliness could have been prevented had my friend, an otherwise intelligent person, just thought about it for a moment and asked himself one simple question: “does this seem fishy?” (the smell test!). But isn’t that a little harsh? I mean we already established that he’s a computer novice. No, actually, it’s a dandy segue into the next point.
  2. Learn how to use your hardware and software. Or stated in the reverse, don’t use something you don’t understand. What I’m not suggesting here is that mom should become a hacker just so she can check email. Look at it this way: I don’t understand the complete operation of the stability control system in my Honda, but I do know that when the “TPS (Tire Pressure Sensor)” light comes on that I better check and adjust the tire pressure, and if the light doesn’t go off when I’ve done that I should take it in to my local Honda dealer. (Honda – here is an excellent sponsorship opportunity). The point is that you don’t need to be an expert, you just need to know basically how the system works and what it’s trying to tell you. In the example of my friend of #1, Had he known what to expect from his AV software when it encountered a virus, he wouldn’t have been fooled by the phony. If you don’t understand what a program does, then you almost certainly don’t need it. But wait – what about all that stuff that comes with mom’s new computer? Isn’t the point of that to take care of everything so that she doesn’t have to know anything about computers? In a word, NO! The purpose of that stuff – which is mostly crapware – is to sell you more stuff you don’t need. You think the company who manufactured your computer has your best interest at heart? See #1. And once again another dandy segue into the next point.
  3. It’s your computer. You don’t have to run anything you don’t want. Mom needs to show that machine who’s boss – Yeah who’s your mama! The point here is that just because your computer came with XYZ security suite (one month trial!) and your internet service provider gives you ABC security suite (the “lite” version – but for a fee you can get the real version!) you don’t have to use either. Remember – who’s your mama! If you really want to use a security suite then do a little research (see #2) and check out the many excellent free and open source packages. Chances are you can get out of this without parting with more of your dough. But more to the point, choose your computer wisely in the first place. Most folks walk into their local electronics superstore and expect the friendly sales staff to educate them about what they should buy. Duh – see #1. Why not, instead, make the idea of computer as appliance your goal? Lets take this from the top: Mom wants to a. get email, b. surf the web, c. search for information (as translated from the earlier mom-speak). My iPhone does all that and much more. In fact my iPhone does way too much for what mom needs, so she shouldn’t spend the money. My son has a modestly priced smart phone that does everything mom needs. Both phones are totally cool and pretty easy to use and you can turn off stuff you don’t need. And both are quite a bit more like an appliance than your average PC. The idea here is that you should get something that does what you need and only what you need. Also, forget the idea that you should “buy something that you can grow with”. Balderdash. Hogwash. Crapola. Whatever you buy today is going to be landfill fodder in 5 years (actually 3 years if you depreciate it with the IRS). There is no rule that says you must be able to read email, surf the web, chat with your friends, edit photographs, make music and produce movies all on the same device. Despite what the commercials say. See #1. In fact, let me assure you as a semi-serious electronic music producer, I definitely do not want my studio machine to be surfing the web. Remember – who’s your mama! Yeah I have multiple machines. One to do email and internet-related stuff and, well, lots of others to do other stuff (I admit it – I’m a geek). But my email and internet box is old (like 8 years old!) and cheap and it does it’s one job really well. Just like a toaster. Don’t be afraid to look into a mini laptop. These babies are small, cheap and will do everything mom needs. So on to the next idea (which is really a corollary to #1). Sorry lame segue this time.
  4. Your friends are clueless. Sad but true. When mom starts getting email she will no doubt have friends and relatives who think that chain letters really do bring good luck and/or prosperity and everyone they know should be alerted to the latest (to them) internet jokes and inspirational (why are angels supposed to be inspirational?) ravings. These well meaning folks will grab onto an internet hoax or urban legend and spam every one they have ever known with it. Some of these will turn out to be phishing scams, or “manual malware” (e.g. “to defeat this evil virus that no AV software can detect remove the KERNEL.SYS file“). Bottom line is, mom should seriously suspect any content she receives from these lovable – but clueless – folks. Especially when they state “you must see this adorable …” – no you must not. But just in case mom refuses to believe that Aunt Helen would ever send her something nasty. I know this guy in Nigeria who really needs to get a bunch of money out of the country and he’s willing to cut someone in if they’ll help him.

So before this post gets (even more) out of hand, notice that these first – and most important – four ideas have nothing to do with which anti virus software is best, or whether Macs are more secure than PCs. They are about common sense. Which isn’t all that common. I’ll actually get into addressing specific risks when “Security ideas for your mom” continues in another post.