May 27, 2016

Digital Deadbolts Part 2: How to Protect your Security and Privacy Online

Hello readers! This is the first article in a series of articles I'm doing in collaboration with digital-issues advocacy group OpenMedia. You can also read this article on their website. Enjoy!

Last week, I talked about some different methods that you can and should use to protect your privacy and security online. 

One of the key takeaways from that discussion is that each of you  need to assess your own specific security requirements. A good deadbolt will stop most people from entering your home without your consent, but it won’t stop a skilled individual with a set of lockpicks, and it certainly won’t stop a battering ram. Likewise, the tools I discussed last week will protect most of us from most threats we face online, but they won’t necessarily stop sophisticated hackers with sophisticated tools. 

Most of the time, you don’t need to worry about sophisticated attacks. Higher profile targets are people like journalists, dissidents, and political activists, who are less able to count on their data being safe, or their communications being private. 

While investigating the Panama Papers, the International Consortium of Investigative Journalists knew that they couldn’t take any chances with their digital security. There are a number of groups that would be interested in compromising that investigation, including powerful politicians, big business, and criminals. Such parties are formidable adversaries, and may have the ability to hack into email servers, or demand e-mail content from service providers via warrant. 

So even with basic digital diligence, not everyone will  be able to fend off hackers. In such cases, we need to go the extra mile with digital security practices. Once again, let’s dig in.

(Note: The technologies we’re discussing today are inherently more complicated than those mentioned in part one. They take more time and know-how to set up, and specifics may vary depending on the particular product being used. In the interest of keeping this article a reasonable length, I won’t go into any details of set-up. However, links have been provided for further reading!)

Use a Virtual Private Network (VPN)
If you are  concerned about your ISP or government actors looking at your internet traffic, you can turn to software tools that will help you anonymize your traffic. A VPN, or Virtual Private Network, allows a user to encrypt their device’s traffic and route it through another machine on the internet (a VPN server), making it difficult for an observer to figure out where the traffic originates. 

You may be most familiar with VPNs for their ability to let you view websites from different countries with content restrictions. That's part of the reason that companies like Netflix have begun blocking VPNs – as a way to prevent the circumvention of geoblocking. But VPNs can also be used by citizens in nations with Internet censorship to access news and websites which might otherwise be blocked by government firewalls. A VPN can also sometimes be used to circumvent your throttling (by your ISP) of specific services, such as streaming video sites or gaming.

VPNs are not a perfect privacy solution – they can only so much. You'll want to select a VPN provider that does not retain activity logs. Log data such as IP addresses could indicate what you accessed, and later be appropriated by hackers or government actors. Also, browsing the web while connected to the VPN doesn’t prevent the websites you visit from  identifying you through the use of tracking cookies. 

VyprVPN, ExpressVPN, and TunnelBear are all VPN services that keep minimal or no logs on user activity.

Transport-level encryption (like HTTPS) keeps hackers from intercepting connections over the web. But what happens if someone actually breaks into your account? What if authorities obtain legal access to your email service provider? Encrypted connections don’t help in either of these scenarios. That’s why the aforementioned journalists who broke the Panama Papers story used PGP to make sure that the content of their emails was encrypted; not just in transit, but at all times. 

PGP encryption (short for Pretty Good Privacy) works in tandem with your mail client: whether that’s Thunderbird, Outlook, Apple Mail, or Gmail’s web interface. PGP encrypts data before it’s even transmitted, and only the intended recipient has the key to decrypt it.

PGP has a much steeper learning curve than anything else on this list. Additionally, it’s a system that only works if it has been set up in advance by you and your correspondents, requiring both parties to install PGP software. That said, once it’s set up, it’s incredibly simple to use. And it’s an essential tool for anyone who needs to be absolutely sure that an email can’t be read by anyone but the intended recipient. EFF has a primer for PGP as well as guides for setting it up on Windows and Mac OS X.

Encrypt Your Hard Drive
Do you have sensitive documents? You may (rightfully so) be concerned about sending or storing sensitive them on a cloud-based service. As mentioned in the section about PGP, online services can be hacked, or their contents forcibly divulged by lawful warrants. The obvious alternative is to store files locally, but the disadvantage is that local devices – like laptops or USB thumb drives – can be stolen.

Having a password lock on a computer is a critical first step, and will protect it briefly. But if anyone gains physical access to your computer for long enough, the files are still readily accessible by a few different means. The ironclad solution is to use software that encrypts your disk. When a disk is encrypted, its contents can’t be read without a key or passphrase. 

It’s pretty simple to encrypt your computer’s startup disk, and most operating systems now come equipped with an option to turn on disk encryption. Just be aware that if you ever lose your passphrase or key, your data will be inaccessible for good – make sure to remember that key and do regular backups! External drives are fairly easy to encrypt. Free software VeraCrypt (which owes its lineage to the now-discontinued TrueCrypt) is a good cross-platform solution for disk encryption. 

If you feel up to using full boot-disk encryption, certain Windows editions come with Microsoft BitLocker, while Mac OS X ships with FileVault.

Final thoughts

Some of you may feel that the tools I’ve outlined are above and beyond what you need for your own personal security. That’s okay! Every individual or organization needs to assess their own risk level. As the Panama Papers have shown us, such tools are essential for enabling great work to be done without fear of interference. While some will protest that only the guilty have something to hide, the fact is that for the free press to function, complete secrecy is sometimes necessary. Moreover, everyone has something they'd rather keep secret; the ability to have private moments, thoughts, and communications is critical for democracy, and free expression.

As Edward Snowden once wrote:

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."

Combination lock by frbird via VectorStock

May 19, 2016

Digital Deadbolts: How to Protect your Security and Privacy Online

Hello readers! This is the first article in a series of articles I'm doing in collaboration with digital-issues advocacy group OpenMedia. You can also read this article on their website. Enjoy!

The front door of your home has a lock on it – and chances are, you use it. That doesn’t make you an elitist who thinks that you’re better than the people outside, nor does it make you paranoid. Rather, a lock on your door is regarded as common sense. It keeps unscrupulous people from stealing your stuff, or from walking into your house and looking at you in the shower.

Security doesn’t end at your front door. You might have windows with stops on them. If your neighbourhood doesn’t always feel safe, you might consider an alarm system. The same goes for your computer, and your online presence. The Internet, as a whole, is kind of a rough neighbourhood. For good or bad, we are all connected to that entire neighbourhood, and some of the residents aren’t so savoury. 

Apr 12, 2016

Collaboration with OpenMedia

Hello good readers!

I am excited to announce that this spring and summer, I'll be embarking on a collaboration with OpenMedia. I've mentioned OpenMedia on the blog several times, they're fierce defenders of internet freedom and accessibility here in Canada and abroad.

As a volunteer content creator, I'll be writing some articles (and possibly creating other materials) for the OpenMedia website about online security/privacy, digital rights, and other tech-political issues. Don't worry though, all that stuff will be cross-posted on this blog as well, so you'll be able to read them wherever you prefer.

As I said, I'm super excited to be collaborating with these folks. Watch this space for updates!

Mar 17, 2016

#0000FF or Lament of the Print Designer Who Loves Blue

Ah, #0000FF.

It's known to most of you as "blue", but that designation doesn't nail it. After all, people say that the sky is "blue", or that their pale, bluish business shirt is "blue", or that navy uniforms are "blue". So there's no point in me saying "blue", because you won't get what I really mean. What I mean is #0000FF.

For those of you who don't know, "#0000FF" is a way of expressing colour on a computer, using the RGB colour space. Your computer monitor has pixels with red, green, and blue components (hence, RGB). A pixel can add RGB in equal, maximal amounts to create white, expressed as "#FFFFFF". Without going into too much detail, "FF" is 255 in the hexadecimal number system, used frequently in computer programming. The six digits represent the red, green, and blue attributes respectively. Thus, #FF0000 is pure red, #00FF00 is pure green, #0000FF is pure blue, and "#000000" (the absence of any colour value) is black.

#0000FF is an amazing colour. It's the colour of the classic cobalt blue pigment used by painters and glassmakers. It smacks of polished lapis lazuli. It's rich and deep, simultaneously inflaming and calming the senses. Some statistics show that "blue", broadly, is the favourite colour of a majority of people. Well, #0000FF is my favourite colour, by far.

Unfortunately, there's a problem: You can't print #0000FF... not really.

At this point a lot of people will be scratching their heads in confusion and disbelief: "Huh? Of course you can print blue!" Meanwhile, the designers in the audience will be rolling their eyes: "Oh, here we go, another rant about the CMYK gamut range". You are correct, designers. Go have a coffee while I explain this to the muggles.

Here's the thing: computer monitors add RGB light together - and the aggregate makes white; but when you're printing, you add cyan, magenta, yellow, and black (aka CMYK) inks together - and the aggregate makes black. We call RGB additive (more colours means lighter), whereas process CMYK is subtractive (more colours means darker).

The difficulty with a subtractive colour scheme is that it's inherently more restrictive than just adding different kinds of light together. You can make a colour lighter by simply adding less ink (since the paper is already white - this is called half-toning) but it's never perfect. The reasons for this are complex and have to do with a myriad of factors, including how the inks reflect and absorb various wavelengths of light (and provide the end colour that you observe) and the physical absorption of the inks into the printing medium (usually paper stock).

We call the range of colours that can be produced by any given colour schema its "gamut". Like CMYK, RGB also has a limited gamut compared to "real-life" colour, but for most practical purposes, RGB is capable of producing the vast majority of colours that most humans can see. CMYK... not so much.

The component inks of CMYK have been formulated to be able to cover many, but not all, colours. CMYK is not super great at reproducing #FF0000 red. It's kinda bad at #00FF00 green. But the worst, by far, is the coverage of #0000FF blue. Just take a look at this RGB to CMYK conversion simulation by Wikipedia:

Okay, I'll just convert to CMYK and YYEEEUUCCCHHHH

The CMYK spectrum looks different here and there, but blue in particular looks washed out and grey-ish. It's almost like the CMYK colour-space (first conceived of in 1906, and later codified by colour-matching-juggernaut Pantone in the 1950s) was designed by people for whom pure blue and purple represented only fear and sadness.

Life is meaningless

I disagree: Blue is Joy (or at least Joy's hair).

But wait, there's hope! You see, mixing cyan, magenta, yellow, and black inks isn't the only way to print. We also have what are called spot colours. A spot colour is a premixed ink - in contrast to blending CMYK inks on paper using halftones. The aforementioned company Pantone is best known for the eponymous colour swatches which list various colours that can be pre-mixed by printing companies for precise colour results. Spot colours are important when you're printing large areas of single, flat colours (eg: white text on a solid orange background), because the halftoning dots of CMYK process become a lot more obvious. Spot colours can also be used to make certain colours (like #0000FF) "pop" more, especially when they don't look good in the CMYK gamut range.

Unfortunately, there's another problem:

One of the best inks for producing (something close to) #0000FF is known in the Pantone scheme as Reflex Blue. It's not perfect, but it's saturated and has a vitality that the CMYK equivalent lacks... and many printers HATE it. Naturally, every colour is created using different chemical pigments, and the pigments in Reflex Blue take twice as long to dry as anything out there. Many printers say that it needs to be coated with special treatments because it never fully dries. I can attest from experience that blue projects tend to come back from the printers feeling a bit tacky, and they smear and stain surfaces more readily.

When desktop publishing first started rolling in the 80's and 90's, designers were generally much more aware of the CMYK gamut restrictions. In today's world you're less likely to have print ads, brochures, and promotional folios, and more likely to be focused on in-browser ads, websites, and promotional PDFs. The prominence of digital media means that designers can often design in RGB. It also means the amateurs are more likely to be shocked when their designs fall (chromatically) flat in print.

Professional designers and printers have been dealing with this for a long time and have come up with lots of tricks for working around gamut limitations. But when it comes down to the nitty-gritty, using #0000FF in complex designs is considered a no-no. We could come up with a new, better process scheme by adding additional inks (as some have tried), but it seems unlikely that any new scheme will enter the common usage.

However, as we increasingly move towards a paperless - and thus inkless - world, I'm filled with hope. So I will continue to design with #0000FF blue. It's a beautiful colour, unfairly slighted by the process gamut. Raise a cobalt-blue glass with me and toast: to #0000FF, the best colour of them all.

Top Image Composed of:
Wow by LTerraC, Creative Commons 2.0
Blue as in Blue by Alan Levine, Creative Commons 2.0
Polished Lapis Lazuli by MarcelClemens, Shutterstock

Feb 24, 2016

How Encryption Works, and Why it Can't be Backdoored

It's time to learn about encryption.

I am blessed to know a lot of smart and politically astute people. You are (by in large) rational and progressive folks who enjoy learning new things. Encryption is something we use everyday, when we connect to Facebook or Google or Twitter. We absolutely depend upon it when we log into our bank accounts online, our PayPal account, or the website of the Canada Revenue Agency to submit our taxes. For all these things, we're using HTTPS. You might know that "HTTP" stands for "HyperText Transmission Protocol". The "S" stands for "Secure" or "SSL", whichever you prefer. You also probably know that this protocol keeps your data safe from spying eyes.

You probably don't know the nitty-gritty of how HTTPS works. If you're curious, and you have a little patience, and you're willing to accept a slightly simplified version of the process, then I'd love to explain it to you.

Some Validation

On this blog and social media, I've been trying to push the label of "Science Denial" onto the current encryption debate. When a plurality of experts say something isn't possible/feasible, and politicians refuse to listen to that, what you have there is science denial.

Sadly, no one really picked up that ball and ran with it. I was starting to fear that what I thought was a powerful piece of rhetoric in this argument was just hubris.

Thankfully, Cory Doctorow's latest piece in the Guardian today validates the argument:
There’s precedent for this kind of contradiction, where something urgent is considered a settled matter in expert circles, but is still a political football in policy circles: climate change. Denialism is a deadly feature of 21st-century life.

I recommend a full read through for everyone. Doctorow has taken all the most powerful arguments and distilled them into a potent tonic. Magnifique.

Feb 17, 2016

The Line in the Sand: iOS Encryption

By now, anyone who cares to read this article probably knows the background, but here's the short-short version:

Apple has been compelled by a court order to comply with an FBI demand to circumvent security on the iPhone of one of the San Bernardino shooters. Specifically, the FBI wants Apple to create a custom version of iOS that bypasses data protections, which could be loaded unto the phone to break the passcode and/or encryption. Apple has refused this order, and an open letter by Apple CEO Tim Cook has explained why following this order would be disastrous for computer security and have broad-reaching repercussions.

Feb 2, 2016

The Conspiracy to Slow Down Your iPhone

I feel like I'm about to make myself incredibly unpopular just by stating the facts.

But hey, I work in IT, I'm used to it.

Back in November, I wrote my article The Conspiracy to Slow Down Your Computer. It turned out to be a surprisingly popular article, though I suspect a lot of people who clicked for the title were disappointed. The spoiler is that there is no conspiracy, except perhaps for manufacturers shipping computers with 4GB of RAM, which isn't really enough. I touched on smartphones in my introduction, as they related to software updates and performance, but didn't really go into depth.

So it almost seemed like prescience when, a month later, a group of angry iPhone users got together and launched a class-action lawsuit against Apple, claiming that iOS 9 had "significantly" slowed down their iPhones. They allege that Apple did it on purpose, so that they'd be forced to buy new iPhones.

Jan 26, 2016

We Are the Nerds: and You Need to Listen to Us

First and foremost, I apologize for my extended absence. Between a ten-day vacation, the rush of the holiday season, and a subsequent spate of random winter colds and flus, writing hasn't exactly been at the top of my list of priorities.

But more than that, I've been stuck. I write on this blog because there are an enormous number of technology-politics topics that deserve the public's attention. They're absolutely crucial issues: the effect that the TPP will have on archives and copyright; or whether the NSA can spy on Canadians' medical or tax information; or - perhaps worst of all - the fact that politicians are considering banning end-to-end encryption, putting the data of ordinary citizens at risk of interception by spies, criminals, hackers, and yes, even terrorists.

The problem is, these topics aren't sexy. 

Add to that the fact that everyone's Facebook, Twitter, and reddit are chock-full of articles vying for their attention - from social justice issues and world news, to celebrity gossip and the latest Buzzfeed listicle. Technology politics is a particularly difficult subject to cover, because it combines two things that a lot of people consider to be, frankly, boring.

That would be okay, just as long as politicians and leaders were heeding our advice - particularly the advice of computer security experts and privacy advocates. 

The second problem is that leaders aren't listening either.

The third problem is that they think they know better.

Those may sound like inflammatory accusations, but the proof is in the encryption debate. I won't rehash (pun intended) all the evidence I've provided on this blog, the tl;dr is that banning end-to-end encryption, or providing a secret backdoor for government agencies will make encryption useless, and fundamentally break the internet as we know it in dangerous ways. America's best and brightest - Apple, Microsoft, and Google, to name a few - have told the US government as much

Then, Democratic US presidential candidate Hillary Clinton said things like this:
"...we need Silicon Valley not to view government as its adversary. We need to challenge our best minds in the private sector to work with our best minds in the public sector to develop solutions that will both keep us safe and protect our privacy."

... and...
"I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project — something that would bring the government and the tech communities together to see they're not adversaries, they've got to be partners."

... and then...
"I don't know enough about the technology ... to be able to say what it is..."

Re-read those passages again if you need to, I'll wait. Let them sink in. Ready?

In summation: One of the front-runner candidates for President of the United States (a progressive, experienced, and actually-qualified candidate, no less), called the tech community - the people who are telling her that adding secure backdoors to encryption is impossible - "our best minds" with "extraordinary capacities". She admits that she herself, in comparison, has no idea what she's talking about; and yet, despite this, and despite the fact that the tech community has told her this request is impossible, she unequivocally expects them to just sort of figure it out, and randomly evokes the development of the nuclear bomb as an analogy.

Not to split hairs (about splitting atoms), but nuclear physicists were pretty certain that a nuclear bomb was possible before they even tried to figure out the mechanics of how to build one. Encryption experts, security experts, computer scientists all know, right now, that engineering a backdoor to encryption schemes is a terrible idea which negates security. Adding to that general horribleness is the fact that politicians and law enforcement seem to be misrepresenting this issue as a debate about balancing privacy and security (which itself is a false dilemma), rather than an impossible proposal by laypersons which will destroy our entire security apparatus. 

Hillary isn't alone. Both Republican frontrunner *shudder* Donald Trump and UK Prime Minister David Cameron are outspoken advocates of this incredibly bad idea, despite the intense opposition of tech industry and security experts. One wonders: Are they simply not paying attention? How can you, in a single breath, characterize a group of people as experts who are the "best and brightest", then roundly ignore their response that what you've asked for is unfeasible and dangerous? How do you not sense your own hypocrisy when you're in it up to your nose?

As an IT professional, such attitudes are sadly not unfamiliar to me. While I must laud my own co-workers for being respectful and polite when they approach me with problems, I've had my share of horror stories: like when you ask someone if they're sure this-or-that is plugged in, they rail at you about how they're not stupid, only to realize a second later that this-or-that was not actually plugged in (troubleshooting starts at the ground floor, friends); or when a friend or family member begs for your advice fixing this-or-that, then proceeds to argue against all of your advice, assuring you that "I already tried that", generally cutting down your expertise and making the methodical troubleshooting process impossible.

While I was preparing to write this article*, I realized that my experiences as an IT professional might be more generally universal than I'd first considered. I reached out to an old friend of mine, who is now a medical doctor specializing in anesthesiology. I explained my frustrations, using encryption as a specific example. My friend resoundingly echoed very similar frustrations: a portion of patients regularly feel the need to contradict her advice on even basic medical knowledge. They make outlandish requests, and those requests are frequently dangerous.

Stop to think for a moment and you realize that this is a widespread problem. Conservative politicians are willing to listen to a tiny minority of fringe scientists over the 97% majority who say climate change is real and man-made. Frightened parents believe that vaccines cause autism despite the fact that you'll be hard-pressed to find a real doctor who agrees. America's inspectors and structural engineers are telling their government that bridges and causeways are on the verge of collapse, yet politicians seem to ignore their own experts, putting the safety of everyday citizens at risk.

What's the problem? Are we, as a people, unable to trust? Are our egos so big that we can't yield judgement to more knowledgable persons, even when it concerns our own safety? Are we a culture of people who insist on bucking even the smallest authority? I don't know, I'm neither a psychologist nor a sociologist... There, see how easy that was?

One thing is for sure, if we, as a society, can't get our leaders to listen to even the most basic advice of experts and professionals, the future is not going to look as bright as we might imagine. So, the next time your local computer nerd gives you some advice - for the love of Jobs, please - listen to them.

Extra Credit Reading: Still here? Wow! Here's a list of nerds experts, professionals, and organizations who oppose banning encryption. Listen to them!

The Information Technology Industry Council
Who They Are: A technology council which includes any tech company of importance. Like, every one. You might recognize Adobe, Apple, Blackberry, DropBox, Facebook, Google, HP, IBM, Intel, Lenovo, Microsoft, Samsung, Sony, Symantec, Toshiba, Twitter, Visa, and Yahoo. That's just a sampling. They all oppose backdooring encryption
Listen to Them: Because they're... well... every single major tech company in existence.

Cory Doctorow
Who He Is: Besides being the co-editor of e-zine boingboing, a regular columnist for the Guardian, and an accomplished writer, Cory Doctorow is a longtime advocate for digital rights, privacy, and fair copyright worldwide.
Listen to Him: If his experience doesn't convince you that he knows what he's talking about, perhaps his writing will.

Who They Are: An utterly tireless group of (mostly) Canadians who are at the forefront of lobbying for digital rights, open access, and fair copyright in Canada and elsewhere.
Listen to Them: Read what OpenMedia's Digital Rights Specialist Laura Tribe has to say about encryption backdoors.

The Electronic Frontier Foundation
Who They Are: The CEO of T-mobile might not know who EFF is, but you should. The EFF has been lobbying for digital rights and fair copyright in the US since 1990.
Listen to Them: See what the EFF has to say about their government's plan to backdoor crypto.

Edward Snowden
Who He Is: The infamous NSA whistleblower, currently living in exile, who exposed the NSA's programs of mass, warrantless spying on ordinary Americans, which included inappropriate access for voyeuristic purposes.
Listen to Him: Besides being an expert simply by virtue of having been on the inside of domestic spying, Snowden has rightly pointed out that many terrorists, including the Paris attackers, aren't using encryption.

General Michael Hayden
Who He Is: The former director of the NSA, from 1999 to 2005.
Listen to Him: If even a former head of America's domestic spying apparatus thinks banning encryption is a bad idea, then it's probably a really, REALLY bad idea.

Some of the Leading Minds on Encryption Technology via MIT
Who They Are: I believe I just explained that. But specifically, they are Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner.
Listen to Them: This is a scholarly article, so it's heavy reading. But if you're really looking for the hard facts and nitty gritty, Keys Under Doormats will give you all the technical reasons why what governments are asking for is not feasible.

* This article was originally entitled "You Aren't an Expert? Then Shut Up." I decided on a slightly gentler approach.

cover image compiled using vector art by Leremy/Shutterstock