Safe Journo-Blogging

April 15th, 2005

"Apple won the right to make bloggers reveal sources in March
Eight US newspapers and the Associated Press agency have thrown their support behind three bloggers sued by Apple.
In March, Apple won the right to see the bloggers' e-mail records to find out who leaked information on upcoming products to them, which they published."

http://news.bbc.co.uk/1/hi/technology/4435809.stm

Blogging has attracted the attention of big business (just take a look at the number of blogs that are merely a corporate shill nowadays to get an idea of just how much power they think the blog now has). And where there is big business, the lawyers aren't far behind!
Personally, I don't see this as a blog issue but as a matter of a journalist protecting their source - no matter whether that journalist is working for a big paper or huge media outlet or for a small blog. If the freedom of the press is to be allowed then we need to redefine the term "press" and allow it to cover all legitimate forms of reporting.
However, I feel that there is a bigger issue here - and that is of people inexperienced in journalism becoming "blog-journalists". Just as there are pitfalls to having a work blog, there are equal pitfalls to blog journalism. I'm not going to get caught up here on trying to define where "journalism" stop and "somebody just writing things down" start.
If you want to do a bit of blog journalism then take care and follow these simple steps to keep your sources secret.

  • - Think carefully about whether you want to be a blog journalist! What are your motivations? What drives you? Do you have the time for it and the possible future hassles associated?
  • - Have a reasonable understanding of the laws in the country in which you operate (base this knowledge on more than just hunches and the movies!).
  • - When encouraging people to report news to you, especially news that might land them into trouble (whistle-blowing, giving details of upcoming products, etc) encourage them to use discreet and anonymous methods of communications. Free email isn't as anonymous as most people think and can be traced to the source. There are plenty of anonymous remailers on the web and for the really paranoid you can point them to services such as Hushmail.com. Discourage them from using real names and encourage codenames. If phonecalls become necessary, payphones (especially those out of area of the caller or located in busy areas) are far better than home phones and cell phones.
  • - Use PGP encryption and make your public key available on your site. Encourage your sources to use PGP (freely available for download and use).
  • - Think carefully before publishing something controversial! Do you really want or need the hassle? How reliable are your sources?
  • - Store data carefully. Encrypt sensitive data and securely destroy plaintext (that is, unencrypted) copies. Securely delete even encrypted data when you are done with it.
  • - If you use an encryption tool then consider using different encryption keys for different leads, stories, contacts or projects. That way, compromise of one encryption key (by one means or another) won't compromise other.

Home workers ‘pose security risk’

April 15th, 2005

"Working from home could pose a security threat to British businesses, costing an estimated £8.5bn a year, an IT security company has warned."
http://news.bbc.co.uk/1/hi/uk/4446827.stm

And this is news? Home security has always lagged behind corporate security and if a company allows home working from an unregulated system then it's opening itself up to a whole host of security issues. Home users are poor at keeping up to date with patches and antivirus updates and the control over who has access to the system is much more open than for a PC in an office.

There are a number of solutions (running a virtual PC using a tool such as VMware Workstation or ACE is one possible solution which is in essence a PC within a PC) but it all take time and cost money to implement. However, I believe that the benefits of home working outweigh the costs and that by tightening up on home working security they will also identify and eliminate other vulnerabilities.

The reverse is also true - The more the home PC users is made aware of security issues the better equipped they are to deal with them. By spreading the word on secure computing we will all ultimately benefit from less viruses, spam and hacker attacks.

The Triumph of Technology

April 15th, 2005

To coincide with this year's Reith Lectures, entitled the Triumph of Technology, You and Yours (BBC4, UK) has been asking what has been the most significant technological innovation since 1800.

Here is the final ten nominations:

It's a tough choice - I guess my vote goes to the transistor and the work that Lilienfield and later Shockley, Bardeen and Brattain did to bring this device into being. Without there, of which there have been more made than all the characters ever printed, we wouldn't have much of the technology that surrounds us today.

Keyboard loggers

April 15th, 2005

It seems that keyboard loggers are becoming more and more commonplace by the day. Once they were sold discreetly and at a high price, meaning that the bar for ownership was set reasonably high. Now keyboard snooping seems to almost be accepted and these devices are low-cost and sold openly. It seems that everyone can, and should, be a snoop. I've seem some hardware keyloggers marketed as backup tools - "keep your data safe in the event of a crash".

Defense against these snoopers isn't easy. I guess that ultimately we'll see standard home and office keyboards installed with public key systems that exchange am encryption key with the PC each time the system is started or at other predefined intervals (it could act as a normal keyboard until the operating system is started and the drivers loaded). This would render hardware keyloggers useless but still puts the system at risk from software keyloggers (which are a nuisance but getting easier to detect with anti-snooping software.

The best system is vigilance. If you're worried about a hardware keylogger on your PC, your PC at work or the one that you use elsewhere there are a few things that you can do:

1 - Check the cable - if there is something that looks like an adaptor between the keyboard (about the size of a AA battery) and the PC then be suspicious. Switch the PC off, unplug it and investigate. If it's not something that usually exists on your keyboard then it's likely to be a keylogger - to be safe, destroy it if it's on your system or report it to your administrator/security people in the workplace.

Image of a keylogger

2 - Lock your office/computer room door when you're not there. Control who has a key.

3 - Use a USB keyboard connection instead of PS/2 - I've not yet seen a keylogger that works for USB.

4 - Know your system and workplace - that way you're better able to spot changes.

Security at the Papal elections

April 15th, 2005

Bruce Schneier, world renowned security expert, has an interesting post on the security behind the Papal elections. This is one of the best rundowns of the security at the Sistine Chapel that I've come across so far. It's an interesting read and even though the election itself doesn't use hi-tech it has some valuable ideas that could be applied to the hi-tech world.

I was particularly interested in how clothing played an important part in the security.

Superb read - recommended reading for all interested in security!