David Gessel

Testing Privacy Tools

Saturday, December 4, 2010 

I was curious after posting some hints about how to protect your privacy to see how they worked.

Using EFF’s convenient panopticlick browser fingerprinting site. Panopticlick doesn’t use all the tricks available, such as measuring the time delta between your machine and a reference time, but it does a pretty good job. Most of my machines test as “completely unique,” which I find complementary but isn’t really all that good for not being tracked.

Personally I’m not too wound up about targeted marketing style uses of information. If I’m going to see ads I’d rather they be closer to my interests than not. But there are bad actors using the same information for more nefarious purposes and I’d rather see mistargeted ads than give the wrong person useful information.

Panopticlik noscript.jpg

Testing Panopticlick with scripts blocked (note TACO doesn’t help with browser fingerprinting, just cookie control) I cut my fingerprint to 12.32 bits from 20.29 bits, the additional data comes from fonts and plugins.

Note that EFF reports that 1:4.1 browsers have javascript disabled. Visitors to EFF are, I would assume, more likely to disable javascript than teh norm on teh interwebz, but that implies that javascript-based analytics packages like Google analytics miss about 25% of visitors.

Panopticlick_1291458952178.jpg

It is also interesting to note that fingerprint scanners (fingerprints as on the ends of fingers) have false reject rates of about 0.5% and false acceptance rates of about 0.001%. Obviously they’re tuned that way to be 50x more likely to reject a legitimate user than to accept the wrong person and the algorithms are intrinsically fallible in both directions, so this is a necessary trade-off. Actual entropy measures in fingerprints are the subject of much debate. An estimate based on Pankanti‘s analysis computes a 5.5×10^59 chance of a collision or 193 bits of entropy but manufacturer published false acceptance rates of 0.001% are equivalent to 16.6 bits, less accurate than browser fingerprinting.

Posted at 06:44:41 GMT-0700

Category: PoliticsTechnology

Opting Out for Privacy

Friday, December 3, 2010 

There’s a great story at the wall street journal describing some of the techniques that are being used to track people on line that I found informative (as are the other articles listed in the series in the box below).  EFF is doing some good work on this; your browser configuration probably uniquely identifies you and thus every site you’ve ever visited (via data exchanges).  Unique information about you is worth about $0.00_1.  Collecting a few hundred million 1/10ths of a cent starts to add up and may end up raising your insurance premiums.

One of the more entertaining/disturbing tricks is to use “click jacking” to remotely enable a person’s webcam or microphone.  Is your computer or network running slowly? Maybe it is the video you’re inadvertently streaming back (and maybe you just have way too many tabs open…)

A few things you can do to improve your privacy include:

  • Opt out of Rapleaf. Rapleaf collects user information about you and ties it to your email address.  You have to opt out with each email address individually, which almost certainly confirms to them that all your email addresses belong to the same person.  You might want to use unique Tor sessions for each opt out if you don’t want them to get more information than they already have via the process.
  • Opt out at NAI. This is a one stop shop for the basic cookie tracking companies that are attempting to be semi-compliant with privacy requests.  If you enable javascript for the site (which would be disabled by default if you’re using scriptblocker) then you can opt out of all of them at once.  Presumably you have to return and opt out again every time a new company comes along.
  • Use Tor for anything sensitive.  If you care about privacy, learn about Tor.  It does slow browsing so you have to be very committed to use it for everything.  But the browser plug in makes it pretty easy to turn it on for easy browsing.
  • Don’t use IE for anything personal or important.
  • Run SpyBot Search and Destory regularly.  Spybot helps block BHOs and toolbars that seem to proliferate automagically and helps remove tracking cookies.  You’ll be amazed at how many are installed on your system.  I have used or not used TeaTimer.  I’m less excited about having a lot of background tools, even helpful ones than I used to be.  Spybot currently starts out looking for 1,359,854 different known spywares.  Yikes.
  • Check what people know about you:  Google will tell you, so will Yahoo.  Spooky.
  • Use firefox.  If for no other reason than the following plugins (personally, it is my favorite, but I know people who favor chrome or even rockmelt, but talk about tracking!)  Just don’t use IE.
  • Use the private browsing mode in your browser (CTRL-SHIFT-P in FireFox).  It’d be nice if you could enable non-private browsing on a whitelist basis for sites you either trust or have to trust.  We’ll get there eventually…
  • TACO should help block flash cookies.
  • Install noscript to block scripts by default.  You can add all your favorite sites as you go so things work.  It is a pain in the ass for a while, but security requires vigilance.
  • Install adblock plus.  It helps keep the cookies away.    It also reduces ad annoyance.  You can enable ads for your favorite sites so they can pay their colo fees.
  • Add HTTPS Everywhere from EFF. The more your connections to sites are encrypted, the less your ISP (and others) can see about what you’re doing while you’re there.  Your ISP still knows every site you visit, and probably sells that information, but if your sessions are encrypted they don’t see the actual text you type.  It also makes it harder for script kiddies to grab your passwords at the cafe.
Posted at 02:44:43 GMT-0700

Category: PoliticsPrivacySecurityTechnology

When HDR Would Really Matter

Wednesday, December 1, 2010 

IMG00106-20101201-1624.jpg

Posted at 21:05:34 GMT-0700

Category: GeopostPlacesTravel

Nov 29

Monday, November 29, 2010 

I took my first “post merger” (announcement) Continental flight, BOS-IAH today. So far, not quite there yet.

First, the upgrade queues are not merged yet, so as a UAL customer, I’m at the back of the list. An uncomfortable place to be (literally) as I didn’t even manage to score their equivalent of an economy plus seat. Star alliance gold is the highest status Continental recognizes from UAL, which is pretty far down the list. I was about 8 for 2 spaces on the way out and this time much close, 2 for 1 space. No advance upgrades for UAL customers.

The BOS Club is attractive, but they have less goodies than the BOS RCC. Currently serving beer and wine only, and a few packaged snacks. The Presidential club is also effectively berift of outlets, so don’t plan to charge your devices there. It is probably easier to find an outlet in the concourse. I spent 10 years lobbying UAL for more outlets in RCCs, and each club remodel has brought more. Continental does win on wifi – just connect and go; no password hassle at all.

The IAH club is nice than BOS: fewer work pods but more comfortable seating and a few comfortable seats with outlets. The feature that Continental brought to UAL is free well drinks (not open wifi :-( The feature UAL is going to bring to continental clubs is no entry for amex platinum cards (starting late winter).

Continental charges $6 to watch their stupid DirectTV feed. Live broadcast TV is just as hopeless on a plane as it is on the ground. The days of people staying home to make sure they catch their favorite shows are long over, let alone hoping something happens to be on while you’re on a plane. That’s a minus.

The seat power seems to work right, that’s a plus. United has implemented Empower 110V 60hz plug in seat power, but they seem to have consistently derated it so you can’t run a 90W power supply on it for more than a few minutes without tripping the breaker. I like the old KID DC systems better – I have no problems with my W500 on them. But the Astronics 1215 systems on UAL planes seem to be cut back to about 75W per seat (this can be done via a 1176 AMCU, but I haven’t verified this yet).

Apparently the merger is supposed to get a little close to complete by the end of next year. Until then, I’ll preferentially fly connecting UAL flights over direct continental ones, at least long-haul. Once the merger is complete it’ll be nice to have such a large network with full elite privileges. Now if only we could merge Lufthansa and bring their culinary standards along…

Continental_Plug_In_Power.jpg

IMG00093-20101128-1746.jpg

Posted at 17:22:39 GMT-0700

Category: Media

Jesus Meme in Italy

Sunday, November 7, 2010 

One of the more awesome costumes at the Lucca Comics and Games festival was the Jesus Meme guy. Meme’s really are international!
https://web.archive.org/web/20240718105121/https://memegenerator.net/jesus-says

PA308104.JPG

Posted at 22:33:27 GMT-0700

Category: Media

Oh Those Funny Germans

Friday, November 5, 2010 

Germans and their odd obsessions. I had no idea that Hamburg was the center of “Brown Gold” in Germany.

PB028323.JPG

Posted at 13:00:55 GMT-0700

Category: Media

FAIL Anti-Skid System

Tuesday, November 2, 2010 

I’ve never heard of an “anti-skid system” failing on a plane, but it seems to be the equivalent of anti-lock brakes. Today Carolyn and I were in Zurich, on our UAL 767 waiting to fly to IAD… waiting…. waiting… about 3 hours.

Then they come grab us and hustle all the 1st and business people off the nice, updated 767 and tell us to run to the ZRH-FRA gate a terminal away. Off we go: by the time we land in FRA our ZRH-IAD flight was on it’s way. At FRA we run a few miles through the terminal and get to a 777 (unconverted, old style seats) and lots of very unhappy people from the ZRH-IAD flight. But no problem, we get to IAD. I miss my 8:00 flight to SFO, but get on the 10:00, all upgraded and such.

Now I’m sitting on it… 30 minutes past departure time at the gate because… the anti-skid system is broken. 1000’s of planes over the years, never had a bad anti-skid system. Now two in one day: it’s an epidemic!

Posted at 19:38:07 GMT-0700

Category: Media

Inner-city Wildlife

Sunday, September 26, 2010 

A very loud cat came in to eat cat fud. It turned out to be a big raccoon.
After scampering to the cat door (in the floor) and trying to pass itself off as basement raccoon watching us, it ran out.

Floor_racoon_is_Watching_You.JPG

I went out to take a picture of it and as I was turning to go in, I noticed the Great Sky Possum was perched on the roof keeping a wary eye on Basement Raccoon.

racoon_outside.JPG

Ceiling_Possum_Is_Watching_You.JPG

Time to get an automated feeder.

Posted at 13:13:07 GMT-0700

Category: Oddphoto

How to Disable CTL-Return in Thunderbird

Thursday, September 23, 2010 

One of the stupidest keyboard shortcuts I’ve run into is Thunderbirds CTRL-Return automatic send function. Maybe I type sloppy, but I frequently CTRL-V to paste a link into a message and hit return just a little too fast to continue typing and, damn it, the embarrassing, incomplete message is gone.

It turns out I’m not the only one. I found this great link
https://web.archive.org/web/20091126055634/http://blogs.sun.com:80/LetTheSunShineIn/entry/changing_thunderbird_keyboard_shortcut

which has, itself, a link to a pretty cool plugin that lets you remap the keyboard shortcuts.
http://mozilla.dorando.at/keyconfig.xpi

But it does not (at least with Thunderbird 3.1.4 on window) list the dreaded ctrl-enter stupidkey. Now windows 7 search is astonishingly stupid (how come windows, 20 years on, still can’t give a marginal search function when back in 1990 OnLocation could return every file on my Mac, including searching by content, in a few milliseconds? Progress my ass) but I found the right “prefs.js” (eventually) at C:\Users\dgessel\AppData\Roaming\Thunderbird\Profiles\mwwkrsno.default.

As I’d modified a few keyboard commands with keyconfig already, prefs.js had a nice friendly indicator of where I should insert my own guerrilla modification (about the middle of the file) and there I pasted in
user_pref(“keyconfig.main.key_send”, “!][][“);
and when I launched Thunderbird, ctrl-enter was disabled. YAY!

(The following message was a “note to self” – I typed ctrl-enter and…)

Yep. Message still here… doesn’t work.

(…noted that the message was not sent thus ctrl-enter no longer works.  The fix, therefore, does work.)

If you want to customize your experience, there’s a nice command reference here
http://kb.mozillazine.org/Keyconfig_extension:_Thunderbird

I added CTL-ALT-RETURN as “send later” which I don’t think I’ll hit accidentally.

Posted at 23:33:40 GMT-0700

Category: LinuxTechnology

Fight the Combating Online Infringement and Counterfeits Act

Tuesday, September 21, 2010 

I wrote my representatives:

The “Combating Online Infringement and Counterfeits Act” introduced by Senators Leahy and Hatch to shut down internet sites accused of violating copyright is fundamentally unacceptable and must be blocked. It is predicated on three failed precepts.

First:
The law would provide for expedited prior restraint of free speech based on a claim of infringement. This extends the already over-broad powers granted by the DMCA, which has been used to silence political opposition (e.g. John McCain’s DMCA takedown of a critical video on YouTube) and shut down legitimate criticism of corporate and financial interests. This bill will further erode free speech in America and thus further delegitimize democracy itself.

Second:
The bill provides for in rem actions against a web site. In rem actions have become one of the most popular mechanisms which police forces have used to enrich themselves by taking legal action against private property (e.g. USA v. $124,700 (2006)). This has lead to massive corruption and even the murder of innocent people (e.g. Donald P. Scott 1992). In rem cases should be limited to acceptable legal situations where the owner cannot be identified, not as a method of prior restraint or as an extrajudicial shortcut that effectively extorts compliance from the target by creating an excessive cost barrier to seeking real justice.

Third:
The bill promotes the fiction that copyright law is a property law. It is not. Limited monopolies on the fruits of inventions are offered to inventors to promote the progress of science and the useful arts. These monopolies are in the form of copyrights and patents. There is no constitutional basis for creating laws to protect the privilege of copyright beyond what can be proven to promote the progress of science and the useful arts. It is an offense to democracy to privilege profits over basic civil rights. American society would not suffer meaningfully without the copyright industry, but American democracy is meaningless without free speech. Unfortunately, the copyright industry leverages profits into campaign contributions and lobbyists while free speech is, by its nature, free and thus profitless. Free speech can only be defended from profiteers by patriots.

This bill must be blocked. Please stand up for democracy.

Posted at 22:20:30 GMT-0700

Category: Politics

« Older Entries Newer Entries »