Tag Archives: security

Langara Computer Technology Meetup: Simple Principle for Website Security

The Langara Computer Science department has about 6-7 meetups a year on various technology topics. I had intended to attend one earlier, but this is the first one I got to.

The presentation is to focus on practical website security principles. Continue reading

Digital Odyssey 2013: Big Data, Small World Notes & Takeaways

Big Data

  • 90% of the world’s data was created in the last 2 years
  • can tell us much that other information cannot
  • emphasize the need for analysis and interpretation
  • your data is mined and used to make decisions for you, even more so in the future
  • to prepare, know that big data will affect data management, discovery tools, new jobs, revised skills requirements, and revised infrastructures
  • businesses will be made up of who has the most data and knows how to best use it Continue reading

Ryerson Going Google with Google Apps: The Run Down

UPDATE: See my more recent blog post if you’re looking for my supplement┬ámaterials (to the Ryerson Google site) on sync’ing Google Apps.

I attended a session to address concerns with privacy and security concerns in adopting Google apps at the university. Half of the session was actually a general how to protect your own information and your responsibilities as a user. I’ll focus more on the project itself than the second half since there’s a ton of resources about protecting your information already out there.

Google Apps

For the implementation, Sada Systems will be dealing with the actual implementation and migration. Roll out will be done in stages starting with the first four, and the rest will have to go through the evaluation process first.

  • mail
  • calendar
  • docs/drive
  • contact
  • chat
  • mobile
  • sites
  • app engine
  • plus
  • video

Options

  • Faculty and students will have an opt-in option for mail.
  • Staff, however, will be migrated (i.e. not optional).
  • Everyone will be moved to calendar in order to be rid of Groupwise (yay!).
  • Everyone will still keep their @ryerson.ca so there is no change in the email address itself.

Timeline & Next Steps

In a nutshell, there is none, and that’s because the legal agreement hasn’t actually been signed yet.

Once it does get signed, then alpha testing will be done with the CCS group (central IT) and then beta testing with a larger community group. They’re still hoping for a fall rollout though.

Legal Concerns

Most privacy and security concerns revolved around lawful access and warrantless searches with storing data in the US. It was explained that basically, it doesn’t make a difference. Canada has similar legislation and the Mutual Legal Assistance Treaties (with many countries) is a binding agreement to share information under lawful access or warrantless searches, which means the same thing will happen if your data is stored in any of the countries part of the agreement.

Privacy & Data Protection

To alleviate some concerns, the organizing group assured everyone that a Privacy Impact Assessment is done using the international standard, Privacy in Design and ensures that there are no breaches to:

Additionally,

  • all incoming mail goes through the university servers first
  • not opting in means that email stays on the university servers
  • opting in means the emails are then sent and stored on Google servers
  • students emails will not be visible in the global (internal?) address list
  • minimum identifying information (username, name) is used for authentication
  • drives/docs is private by default
  • calendars display only free/busy by default (as in Groupwise right now)

As I mentioned, in the second half of the presentation, we were all reminded that most email/information/data breaches are due to users, not email systems or hardware, and that email is not secure (although they’re looking into encryption for sensitive information). We got the usual spiel on our responsibilities not to include sensitive information in emails, having secure passwords, being careful of phishing, making sure websites use https, etc.

We’ll see how quickly they get things going, but I’m sure many staff will be happy to get rid of Groupwise (which likes to crash at least a couple of times a week and cancels shut down) at the very least.

For more updates, there is a dedicated blog for project updates.

Stop Living in a Bubble: Privacy & Tracking of Google and Others

With Google’s new policy in effect, there is currently no shortage of news articles and blog posts about how to protect your information from Google. I think it’s great that people are becoming more aware of the effects of how one big company can track you, but this has been going on for many years, just never in one nice neat package as Google is talking about now. [Too long? Skip to the Summary at the bottom]

It’s Not Just Google

While zdnet.com and many others focus specifically on Google, but just recently in the news, Target figure out a teenage girl was pregnant before her father, and NYTimes did a piece on how it’s not just Target, but any and every corporation you shop with. Mind you, if you shop at various stores for various people, it might be harder for one single company to track you, but online is a whole other world.

Living in a Bubble

Online is different, because you can be tracked from one website to another. Particularly when you’re signed in, every search you do is put into your history. Even when you’re not signed in, you’ll be tracked by IP address (but on the up side, rarely does anyone have a truly static IP at home or at work). Your search results will be skewed based personalized data, not just ads, but search results as well. dontbubble.us provides a nicely illustrated explanation of how it works and why it’s important.

Big Brother (and Everyone Else) is Tracking You

Online is also different because it’s not just Google tracking you, trackers are built into sites that follow you on the web to build a profile on your behaviour (and very few sites do not have this). Check out donttrack.us for another illustrated explanation, but if you really want to see how insidious behavioural trackers are, take a look at Collusion, which will give you a demo on a short journey on the web from IMDB to news sites.

What to Do

So how do we protect ourselves from all of this? Live in a cave. No really, practically speaking, there is no way to prevent being tracked and having personal information stored some way or another. It’s no secret that every app and every site that has access will keep information on you and many will sell it to advertisers.

Nevertheless, while it’s virtually impossible to prevent tracking altogether, you can prevent advertisers from building a profile about you to a larger or lesser degree.

Opt Out of Google History

Just about everyone has covered this, and zdnet.com provides a nice summary with lots of links, but here are some direct links:

You could also of course, delete your Google account completely and not use any Google products. (Just saying.)

Browser Plugins

Plugins are nothing knew as a way to help manage privacy and security in browsers. At the bottom of donttrack.us, there is a list of browser plugins you can consider. Some of these are only supported by one or two browsers, but similar plugins are available for other browsers. In particular, I use:

For greater anonymity, add HTTPS Everywhere and Tor. Not on the donttrack list is: TrackerBlock for Firefox, and Internet Explorer.

Browser Settings & Options

Changing some of your security and privacy settings in your browser will also help. The farther down the list, the more extreme you get, but they’re there to consider.

  • Change your default search engine
    • I use duckduckgo, which doesn’t track or bubble and has a neat !bang syntax.The drop down next to the search icon also gives you options for searches it doesn’t have built-in like images and news. (Plus it has an awesome logo)
    • Just set it once. If you’re in doubt, here’s the ‘search URL’ to enter: https://duckduckgo.com/?q=
  • Do not allow sites to track physical location
  • Disable Third-party Cookies
  • Disable Cookies Altogether (optional: add exceptions for sites you visit frequently and want auto-login)
  • Do not allow local data to be set
  • Clear all data when closing the browser
  • Browse privately – use InPrivate (IE), Private Browsing (Firefox, Safari), Incognito (Chrome), Private Tab (Opera) – and set it as the default (if possible)

Opera actually has a great guide to security and privacy covering a lot of Opera settings on one handy page.

Change Your Browsing Habits

Admittedly, I find it hard to do without using any Google products having a gmail account including googletalk, and Google Reader (if someone has suggestions on an alternative that is just as good, I’d love to hear it). Nevertheless, at work, I will log into Google with one browser while using a different browser for everything else. At home, googletalk pops up email in my default browser, so I make sure to log out when I’m done.

On the more extreme side of things, you can set up your work flow such that nothing is stored locally, check out a blog post on microcosm about browsing privately.

Non-Techsavvy Friendly

While some of these options are great for those who are tech-savvy enough, many of these options will create barriers for those who would prefer some protection but with the same experience as before. In those cases, I recommend:

  • All the Google History stuff
  • Adblock/plus
  • Ghostery + making sure common sites are not blocked e.g. facebook, twitter
  • Changing the default engine in the address and search bar
  • Do not allow tracking of physical location
  • Disable third-party cookies + making sure common sites are added to exceptions e.g. bookmarklets

Of course, it’s all about the individual. If they can handle NoScript (which is fairly easy to use once you’re taught), that’s great. The problem is always if the user encounters an error or some functionality that isn’t working properly because it’s being blocked. It’s great if they’re willing to call you and you can talk them through it on the phone, but otherwise, we all know how frustrating it can be for something to not work like we think it should.

Summary

Some key takeaways if you thought that was a bit long to read through.

  • Remove and opt out of all Google history and personalization
  • Install some easy to use plugins, and adjust your browser settings
  • Most of all: Use duckduckgo.com for your default search engine