PSA: A Holiday Privacy Reminder

smash-computer

If you happened to receive a new computer, and are tossing out an old machine, please remember to permanently erase any personal data. Otherwise, someone like me* just might find your discrete photos, bank account numbers, SSAN, and so forth.

In Windows, merely “deleting” the files doesn’t do it; deleted files sit in your recycle bin until you actively empty it…

Which also doesn’t do it. A deleted file isn’t truly deleted until the portions of the hard drive on which it sat is overwritten. “Deleting” just changes the file header to “this space available”. Until it’s overwritten, someone like me — or worse, someone not as honest as me — can recover the data.

So delete all your data using a file shredder like this one before that computer goes out to the curb.


* The last three computers I acquired by scrounging — including one last night — all had extensive files left completely undeleted: pictures of kids, vacation shots, financial data, personal letters, and more. I’m nice; I just wiped it all.

Windows 10: Reason # eleventy-gazzillion to avoid it

Windows 10 won’t run games with SecuROM DRM, says Microsoft
While Windows 10 is largely good news for gamers, it turns out that those with a collection of older games laden with DRM copy protection software are going to have a hard time getting them up and running on the new OS. In an interview with Rocket Beans TV (as translated by Rock, Paper, Shotgun) at this year’s Gamescom, Microsoft’s Boris Schneider-Johne explained that that Windows 10 won’t be able to run games that use SafeDisc and SecuROM technology.

No, not that DRM-bricking. That’s eleventy-gazzillion-one. Frankly, DRM tends towards evil, so it’s hard to get worked up over that (of course, I don’t have any of the verboten DRM games; YMMV on that).

Eleventy-gazzillion is this:

“Everything that ran in Windows 7 should also run in Windows 10,” said Johne, “There are just two silly exceptions: antivirus software, and stuff that’s deeply embedded into the system…

Yeah, they’re killing third party antivirus protection. Presumably that leaves you with MS’ own AV, which in previous versions of Windows has been less effective, with fewer and less comprehensive updates, than third party stuff like Avast! AV. If you can’t beat the competition, brick ’em. Kinda like when MS killed ZoneAlarm, then the most popular third party firewall in the world.

That “stuff that’s deeply embedded” would worry me, too. Is that stuff like third party disk defrag? Unapproved DLLs? UI interface tweaking tools that make Win semi-tolerable for some people?

Friends don’t let friends use Win10. But if they do, medicate them. Drugs are safer.

So… Who would go to prison?

I would hope all Windows users are aware of the deliberate snooping built directly into Windows 10, and know not to “upgrade” to it. If not, the short form is that MicroNSA believes so strongly in the future of “cloud computing” that it’s going to make Win10 users do it whether they like it or not.

That’s bad.

Worse: It now appears that wasn’t good enough for the NSA’s corporate buttbuddy. They’re pushing a set of updates to Win7 and Win8 that implement some of the same file, email, browsing, and search data snooping to be found in 10.

If you must run Windows, do not upgrade to Windows 10. If you are running 7 or 8, turn off Automatic Updates immediately. Check your system (Control Panel=>Windows Updates=>View Update History) for the following updates:

  • KB3068708
  • KB3022345
  • KB3075249
  • KB3080149

Disable them.

If you aren’t on automatic, check the list of “Updates to install.” If you see them there, right-click on them and “Hide Update.”

Install Linux Mint and avoid this in the future. [grin]

Now about that “prison” reference. Imagine you work for a nursing company or in a doctor’s office. Imagine company IT hasn’t blocked these updates. Now imagine your machine reading emails about/to/from patients and forwarding the contents to Microsoft. The private HIPAA-protected contents.

Now imagine how huge a HIPAA violation that could potentially be. HIPAA violations can carry civil and criminal penalties, including fines as high as $1.5 megabucks.

That’s just in the medical field. Attorney/client privilege information can be breached, too. Or just corporate proprietary data. Can you say, “Liability”? Sure, you can.

Heh. Now imagine you’re a dishonest Secretary of State running classified email through a Windows machine… which helpfully forwards the TS/SCI data to Microsoft in violation of the Espionage Act. China wishes it could rootkit machines as extensively as MS. Hell, the FBI and NSA would probably be willing to pay MS beaucoup bucks for this surveillance functionality. Maybe they did. [/tinfoil hat off]

ClosedBazaar

TL;DR: Do not use the allegedly forthcoming “OpenBazaar” unless you like security and privacy vulnerabilities.


So there’s an outfit backed by some venture capitalists supposedly creating an open source P2P client for private, secure online purchases (think “distributed version of Silk Road). Interesting idea.

Until you hit their web site. It absolutely requires lots of javascript and Flash to work.

I can tolerate some javascript. Depends on where it’s coming from. But any site that requires Flash is an instant no-go. It doesn’t instill a great deal of confidence in the privacy and security of the OB client. Sure, being open source will let people look for vulnerabilities. But the demonstrated preference for web hazards doesn’t bode well for them minimizing vulnerabilities in the first place, or fixing them in a timely matter in the second place.

Great Ghu…

I sent OpenBazaar.com an email explaining those objections to all those vulnerabilities. I just received a reply from “Brian Hoffman”:

“Ok peace. You can go get the client from GitHub directly and avoid the marketing site. Your style of browsing the web isn’t the only one so we’ll continue to do things the way we see fit, but thanks for the heads up. Everyone is free to do what they like and so are you.”

Apparently he doesn’t get “But the demonstrated preference for web hazards doesn’t bode well for them minimizing vulnerabilities in the first place, or fixing them in a timely matter in the second place.”. My problem isn’t the marketing site. It’s what the marketing site tells me about the nonchalant security attitude of people professing to build a private, secure product.

So I replied to Hoffman:

My “style of browsing” (i.e.- Linux, Pale Moon, NoScript, Flash blocking, etc) is exactly what is used by tech-savvy people, who would want a secure, private OpenBazaar client, use. Except the ones who go even farther with dedicated machines running through multiple proxies, and so on and so forth.

The Internet Exploder users who don’t care about Flash and scripting (and security and privacy) aren’t looking for an OB product. They’ll just use Etsy, eBay, Craigslist, and Cousin Charlie’s girlfriend’s best friend’s contact. You should probably take another look at your targeted demographic.

Hoffman’s answer:

Our product is not just targeted at the niche audience that is anarchic, libertarian, highly technical users.* Sorry to disappoint you. Probably want to look elsewhere.

Well, yeah. That I won’t be looking at his little security violation was my point.

I gather that Hoffman is a programming type. Maybe those VCs should provide somemone with a better grasp of public relations to screen email. Not to mention someone with a clue regarding demographic targeting. And while I might be a little sensitive to rudeness and cluelessnes, Claire Wolfe was also… impressed by Hoffman’s shortfalls.

OB might turn out to be a decent product, despite some incredibly questionable security decisions by the developers. But I doubt it. If it does, it will only be after months to years of vetting by the anarchic, libertarian, highly technical open source community; most of whom just might look at this and decide its simply to risky to even bother vetting.


* OB is based on Bitcoin. Pretty much by definition that severely limits OB to highly technical users interested in privacy and security.