Tuesday, 30 September 2014

The Right Cloud

Several weeks ago, Jennifer Lawrence & Co have conspired to give Internet cloud storage services a bad name. Apple’s iCloud was the worst hit, and rightly so. The questions I would like to discuss in this post are:
  1. Whether the Lawrence case proves that one should avoid the use of cloud storage services, and
  2. If one should actually use them, then which of the providers should be used?
I will attempt to provide answer from the point of view of a privacy aware individual whose friends often accuse him of paranoia in matters of Internet privacy.

So, how does this paranoid regard cloud storage services? Oh, the answer is quite simple: I use them all. Well, almost all of them. And I have been using them long before they were referred to as clouds.
First for the why.
What one is really seeking when one saves data, any data, is the ability to retrieve their data in the future. In contrast, most of the time we do not want our data to fall into others’ hands, therefore presenting us with contradicting requirements: ease of retrieval on one hand and confidentiality on the other. I argue that in most cases the former is way more important than the latter, and therefore the opportunity presented by online cloud services – the option of having big data centres whose reliability far exceeds anything that a private individual can achieve, plus the ability to always retrieve the data no matter what device one is using – far eclipses the risk of the rare occasion when data is breached. Security experts agree with me.
Or, to put it in easier to relate to terms, I’m much more at ease knowing my photos are stored on the cloud than on paper and local hard drives at home, where any burglar could pick the hard drives up or a fire can utterly destroy them. Consider just how easy it is for one to lose one's smartphone, with all the data on board. The damage potentially created by such a loss, i.e. the permanent loss of data, is much worse than the risks involved with cloud storage services.
There is ample choice of cloud services to pick from. Here are the better known ones:
  1. Dropbox: Being the first has its advantages with the best integration to anything and everything.
  2. Box: Their emphasis is on collaboration, as in allowing different people to share their work. They also offer 50GB of free space from time to time.
  3. iCloud: Yeah, Apple got the beating, but it actually did improve its security following the Lawrence case and now it’s up there with the rest. Alas, Apple offers the least space for the most buck. But then again, that’s Apple for you.
  4. Google Drive: Most of us use Android phones, which means most of us are members already.
  5. OneDrive: If you’re using Microsoft’s online office services, and I’m a big time user of OneNote, then you should find this service useful. Microsoft is also relatively generous in handing free extra storage space.
  6. Amazon: The one I do not use because of the service’s reliance on cookies and my general habit of severely restricting my browsers’ cookies.
I will note that all of the above services (with the potential exception of Amazon's, with which I'm unfamiliar) now offer two way authentication, either via app or SMS. If you do not want to end up with your nude selfies on the front page of the Herald Sun, do use two way authentication. It makes a big difference to hackers’ ability to break into your account and put their hands on your data.

Allow me to spend some words on those last two words: your data.
The main issue I have with all of the above mentioned cloud services is that while they look after your credentials and while they ensure your data is encrypted while trekking in and out of their servers, your data is unencrypted while sitting on the servers themselves. The providers themselves know exactly what you're storing with them. This is done for commercial reasons, most obvious of which is Google’s: Google does not grant you with your storage space because of your beautiful eyes; it does so in order to know more about you so as to be able to better target ads at you, which is where it makes its money from.
The case is different but close enough with the others. Fact of the matter is, your data is not truly yours while it sits on these cloud storage providers’ servers. The only way in which you can guarantee your data remains yours while on the cloud is by encrypting it before it leaves your hands.
I will repeat because this is an important point: your data isn’t yours if it is unencrypted prior to leaving your computer.
So, is that it? Can one no longer hold their nude selfies private anymore? No, the cloud wins again, through services that do encrypt your stuff before uploading it. They do so to the point of being unaware and claiming to lack the ability to know what you are actually storing with them in the first place. Further, they also claim that because of this reason they are unable to comply if a government comes in asking for your data under clauses such as The Patriot Act.
Here are three such services to pick from:
  1. Mega: Conducts its encryption through Java code on the browser, which makes it rather browser sensitive. Mega is additionally sensitive because of its history, being Kim Dotcom’s “in your face” answer to the USA following the shutdown of Megaupload. On the positive side, this New Zealand based company gives 50GB of free space and its app handles automatic smartphone photo backups. That’s a lot of nude selfies!
  2. SpiderOak: An encrypted Dropbox like service that offers clever backup functionality if you care to set it up. Being American, they are more exposed to theoretical Patriot Act intrusiveness, but their blog proves they stand by their users.
  3. Tresorit: An encrypted Box like service that offers prize money to anyone able to hack its encryption. So far the money has not been claimed. Tresorit resides in Europe, where privacy legislation is much stronger than most of the rest of this world. [30/9/14 update: It's probably worth noting Tresorit does not offer a browser interface. Whatever platform you choose to use it on, you are required to install an app.]
With all of these three, your service password acts as the encryption key – so pick a good password (try this service up for size, or start using a good password manager). Perhaps because of that none of them offers two way authentication. Also, in all three cases you pretty much have to take the provider’s word for it: as an individual user, one cannot say whether these providers are truly unable to read one’s data. Given they all allow users to change their passwords (but not to reset it!), they must have their weaker moments.
Hope is not lost if you still distrust these companies enough to let them hold your nude selfies. There is nothing to prevent you from using services such as Cloudfogger to encrypt your stuff before you place it with Dropbox. TrueCrypt offers the ability and the app ecosystem to manage this exact feat by yourself, leaving you in control of everything; alas, TrueCrypt’s mysterious developers have announced several months ago they will no longer support this unique all platform supporting encryption facility.

Bottom line, although there are no 100% safe solutions – there never are – I argue there are pretty good cloud solutions out there. All of them are good for one purpose or another, but me, I will not deny the sympathy and high regard I hold for Mega, SpiderOak and Tresorit.

Saturday, 27 September 2014

Never Played Mass Effect

Allow me to regale you with this interview, in which Yvonne Strahovski (aka Mass Effect's Miranda Lawson) admits to have never played the video game she stars in:

First reaction: no wonder I always preferred Liara.
Second reaction: Within each of us there is a tendency to glorify and personalise the portrayers of our fictional heroes. It's natural; it goes hand in hand with being human. Alas, the less glamorous truth is that to these idols of ours, the characters they portray and the things they do on screen for us are nothing but their day jobs.
The reality is that while their day jobs are probably way more glamorous than yours and mine, they probably still think the same about their day jobs as you and I.

Wednesday, 24 September 2014

Why I Prefer Text

Oh oh, telephone line, give me some time
I'm living in twilight
Jeff Lynne, ELO 

You go about living your life, trying hard to make ends meet but struggling at it. It feels like there's not enough time in the world to do all the things you need to do, and definitely not enough time in the world to do all the things you want to do. You make up for it: you get a dishwasher to help you in the kitchen, a Roomba to help you with the cleaning, and you forget what having a good night’s sleep is all about. Chances are, the last time you had one of those was in another life.
Then, out of nowhere, someone comes along – usually unexpectedly – and demands you you put aside everything you are doing and dedicate the next minutes of your life to them, unconditionally.

So yes, that’s what I think about phone calls.
Want to tell me something? Send me a message. Better yet, send me an encrypted message.

Wednesday, 17 September 2014

I Regret Nothing

Regrets, I've had a few;
But then again, too few to mention.
I did what I had to do
And saw it through without exemption.
Paul Anka, My Way (made famous by Frank Sinatra)

Do you have any regrets?
Usually when people are asked whether they regret something, the expectation is for them to say something big. Something like “I should have married that girl” or “I should have bought that new company called Apple back when Steve Jobs came begging for money to help assemble this computer on a wooden board a friend of his had invented”. Me, I’m different. I’m with Mr Anka on this one.
In my opinion, most of the time the bigger choices of our lives are so clear that there isn’t much room for wasting brain power contemplating a choice. And as such potential dilemmas go, the more you have at stake the more obvious the choice tends to be. So no, I do not regret failing to buy Apple back when it was worth an apple.
This doesn’t mean I do not have regrets. I doesn’t take much for me to feel bad for wrongdoing a friend, for hurting an ex dating partner, for being a bad parent or for annoying my wife. I classify those as Being a Dick, and I often mull over my accumulated regrets out of a lifelong career in Being a Dick.
My point is simple. First, do your best to avoid being a dick. Second, and more interestingly, I wanted to note my regrets are less to do with missing out on personal opportunities and more to do with abusing potential opportunities in order to hurt others.

Image copyrights belong to Amorphia Apparel, producers of one of my favourite shirts. I do not regret not asking for their permission to reproduce the image here.

Friday, 12 September 2014

Apple Predictions

It started with the first iPhone’s entry into our lives, and since then the trend has been too clear: each year, we [as in I, mostly] spend a significant portion of our disposable income on Apple gadgets. So much so it would be more efficient if Apple could start some sort of a salary sacrifice subscription fund and get it over with.
Given recent product announcements from the House of Apple, I thought I’d list this year’s Apple gadgets expected spending. You know, so that when my predictions turn out to be all wrong you’d be able to quote me and demonstrate just how stupidly short sighted I was. So here goes:
  1. Apple Watch? Not on my watch. First, it doesn’t satisfy any of my needs. Second, battery life. In other words, in order for me to abandon my current "strap and forget" wristwatch, Apple needs to offer me some functionality I can’t live without. So far it doesn’t.
  2. Retina MacBook Air: My biggest disappointment following this week's announcements was the lack of mentioning of a Retina Mac Air model despite persistent rumours of a 12” model utilising Intel’s new fan-less Broadwell CPUs. As much as I love my current MacAir, it is getting a bit too old. Old enough to merit a replacement? Maybe in a year’s time.
  3. iPhone 6 Plus: I won’t be around the bush here, I’d love to have this huge tool in my pocket. Even if the 64GB version I’d go for sells for $1150 – the price of a MacBook. However, my current two year old iPhone 5 is still very much alive and kicking; as long as that is the case, I cannot justify such a spending. Barring an unforeseen breakdown, which is not too unlikely for a smartphone past its second birthday, I expect to be putting my hands on next year’s 6 Plus S instead.
  4. iPad: No, I am not about to replace my iPad Mini Retina, which has been doing an awesome job at turning my whole life paperless (what a great working tool it is!). However, it's not too unlikely our now old iPad 3 will need replacement within this year. Plus the only member of our household without an iPad is starting to feel like she’s missing out on something.
That’s 4 no-s for you. History tells me to expect a 50% accuracy rate with that prediction.

Image by Anthony Agius, Creative Commons (CC BY-NC-ND 2.0) licence

Thursday, 11 September 2014

Video Gaming Fillers

For reasons that make absolute sense, I don't like it when I'm asked to pay for services I used to receive for free. Case in point: online playing on the PS4, which requires PlayStation Plus membership at $70 (AUD) per year. Compare that with online playing on the PS3, which requires nothing but an Internet connection.
Yet I recently became a PlayStation Plus member. The reason? There is more to it than online video gaming action. PlayStation Plus comes with other bonuses, most notable of which is the ability to get certain games for free each month. As it happened, one of this month's games turned out to be a game I wanted to have a go at: Velocity 2X. It's an "arcade of old" style shooter, but it packs interesting punches: from time to time it turns into a platformer, and - more interestingly - the regular shooter action receives an adrenaline boost through the ability to teleport across the screen. The game uses that ability quite brilliantly. The result is high on, well, velocity.
Velocity 2X is probably not the game I'm yearning for the most. It's not of Mass Effect grade, but rather a filler. The point is, $70 a year offers decent value in the filler department: I get to mess around with a constant supply of nice and perhaps not so nice games to try out. Life can be much worse.
It could still be that those $70 are a waste for another reason. At the moment my PS4 is still yearning for a proper big title to rob me of my life with. That is about to change shortly with the upcoming acquisition of Destiny, followed by the November releases of Grand Theft Auto 5 for the PS4 and that most anticipated of games this year: Dragon Age Inquisition. You know, that game that's Mass Effect set in a Dudgeons & Dragons like universe. Once those arrive, the fillers would be forgotten.
Then again, Dragon Age's cooperative multiplayer promises to be everything Mass Effect's cooperative multiplayer was and then some, which would mean I would that online capability. So those $70 won't be wasted.

One other thing to note with regards to PlayStation Plus is to do with the downloading aspect. Modern games constitute fairly large downloads, measured in the gigs. Between that, Spotify playing music in the background and Netflix, it has become clear our ADSL connection simply doesn't cut it anymore. We need the NBN.
Problem is, with the Liberals in charge and their impression of fast Internet being pure bred carrier pigeons, I foresee much misery ahead.

Image by grimnjou, Creative Commons (CC BY-SA 2.0) licence

Tuesday, 9 September 2014

Basic Guide to Online Anonymity

I am often asked by people of no particular denomination what it is that they need to do in order to remain anonymous online. I therefore thought I’d share some insight here.
First, let’s have a closer look at the problem. Note the main issue people are trying to work around is not how to prevent the contents of whatever it is they do online from falling into the wrong hands. Although there are plenty of issues in that department, well implemented encryption can do a fine job as long as it's comprehensive. No, the thing that bothers these people is how to prevent their metadata from being acquired by others. As in, how to avoid leaving tracks behind when one operates online.
The first and most obvious need is to hide one’s direct activities. That is, prevent records of what one did online from accumulating somewhere in the first place, with “somewhere” usually standing for your ISP (Internet Service Provider). There are three core avoidance strategies there: proxy, VPN and TOR.
Using a proxy server implies that all your requests to access certain parts of the Internet are made on your behalf through your proxy server of choice. Whoever is looking at the breadcrumb trail you’ve left behind will see you communicating with that server, but unless they have access to the proxy server's own records did they will not be able to know what you did. On the downside, using a proxy server does not mean the connection between you and the server is necessarily encrypted. By the nature of Internet things, a lot if not most of traffic isn’t encrypted. Therefore, while leaving not much in the way of metadata behind, you will still leave lots of data behind. That is where the VPN solution steps in.
The VPN solution takes the proxy approach a step further. Everything coming and going out of your computer (or smartphone or tablet) is channelled through an encrypted tunnel between you and the VPN server. There are some very sophisticated ways to tell the nature of what’s passing between you and the VPN, but not much more.
In the eyes of the rest of the world, it is not you who is communicating with the world through the Internet, but rather the VPN server. That means you put your trust with that VPN server – and that’s a lot of trust to put in someone’s hands. On the other hand, there are VPN providers whose main purpose in life is to provide a reliable channel that does not keep any records of your activities (check here for best of breed references).
TOR steps in to provide an even more secure solution. With TOR, your traffic goes in and out of the TOR network’s exit nodes several times; research indicates that after three such hoops it is effectively impossible to determine where the traffic came from. Sounds cool, but TOR has its issues: it is very slow, and by piggybacking on it you use the generosity of several nice people who lend their hand to provide an exit node. TOR is therefore not suitable for high volume traffic, like downloading or streaming; I prefer to leave it to the world’s oppressed so that they have an easier time using the Internet for constructive causes.

So far we have discussed means to hide an Internet user’s IP address from the rest of the world. That is, how to prevent your computer's identifying address from getting collected in direct association with you. Whether through proxy, VPN or TOR, your main achievement is that the other side – the place on the Internet you’re communicating with – does not know who you are; instead, they recognise “you” as the proxy server, VPN server or that last TOR exit.
However, there are other ways of knowing what you’re up to online. When one uses the Internet one leaves behind a long trail of metadata. Trying to be anonymous online is, in effect, an act of making an effort to minimise that trail of metadata. For anyone other than superman, completely eliminating one's trail is as achievable as getting to that pot of gold at the end of the rainbow.
One fine example of this trail is the matter of DNS. Every time you ask to access a certain website, someone needs to be able to identify where exactly that website resides for you. That someone is called a DNS server. The DNS server contains the location of popular websites, recently used by others websites as well as other DNS servers that might know more about the locations of things on the Internet. By default, most of us use the services of our own Internet provider’s DNS server.
The catch with using your Internet provider’s DNS server is that by doing so you are letting your provider know where you wanted to make your computer connect to through the Internet. Not the smartest way of going about if one wants to keep one’s online activities for oneself.
There are solutions available in the shape of other DNS servers. No one is forcing you to use your provider’s; you can relatively easily direct your browser or your router to use another. Google offers popular DNS servers that hold onto user requests info for 24 hours only, although it probably does the most it can analysing that data for its core business of selling advertisements.
The plot thickens, though. For example, the better VPN services will direct your querying computer to their own set of DNS servers. However, there is often some unreliability in the air that causes “leaks”: despite the best of intentions from your VPN provider, your computer still directs some or all of its DNS queries to your ISP's server. One can check for such leaks through the help of web facilities such as this.
One can and should make even further efforts in order to ensure their online anonymity. For example, there is no point in going through all of the above measures if you’re still logged into Google’s services (say, your Gmail account). Or, for that matter, if your computer is running an email application that checks with Google for updates regularly. Or if your computer checks on a named Apple or Microsoft account for updates. As recently discussed here, you may even be identified through the unique settings of your browser; on the other hand, you may choose to fight back by spoofing your browser’s identification using such tools as Random Agent Spoofer add-on for Firefox.
I can continue further with this list of additional things to be aware of if one wants to ensure online anonymity. I won’t, though, because the point I am trying to make is that this is an effort for which perfection demands such attention levels that there is no point in trying to achieve it. Take the Dread Pirate Roberts from the illegal drugs trading TOR "dark Internet" site Silk Road: this criminal mastermind was identified through the anti-abuse CAPTCHA service he applied to his site (see here for details).
One needs to understand that when one attempts online anonymity, one is – in effect – wearing protective onion rings on top. Most companies and people will be thrown off the track by the outer shells, but the experienced hacker can go deeper. Authorities such as the NSA, with their infinite arsenal of knowledge, resources and vulnerabilities will get you if they put their mind to it; as my colleague Edward Snowden has shown, they might not be able to crack all manner of encryption yet, but they can sure as hell infiltrate anybody’s computer if they put their collective mind to it.

If that is the case, then why bother with aspiring for online anonymity in the first place?
In our recent climate of terrorism fear mongering and governments trying to look tough by being tough on terror, we’ve been hearing that “nothing to fear, nothing to hide” argument all too often. Usually in the context of allowing governments to keep track of everybody’s exact history of online and mobile phone activities. Yes, our governments are seeking the legal right to know exactly where we were, when and what we did. We are told that we needn’t worry about them being able to do so, because we have nothing to fear as long as we have nothing to hide.
Or do we? I don’t know about you, but I don’t want a governments with proven track records in losing people’s information, being hacked to death, or just harbouring plenty of petty criminals to have access to my detailed financial information. I do not want anyone and everyone to know the finer details of my health records. And if you have a chat with Jennifer Lawrence, she will tell you that she doesn’t particularly want various third parties looking at her private photos. In other words, we all have something to hide. Even if we are law abiding citizens, and I consider myself to be one, we still have things we want to keep to ourselves.
The problem is, all this information of ours that we put online is getting collected by multitudes of governments and companies who use our information to their own selfish purposes. Usually it’s to make money, and often it is done in ways that we would not approve. None of us will let someone we bump into on the street grab our phone, take our photos from it and print them for the whole world to see. Yet that is exactly what most of us are doing by the mere act of taking a photo with our smartphone, with the slight difference that the person collecting our photo is actually one or many companies.
Most people seem happy to live in blissful ignorance with regards to these issues. I don’t, which goes a long way into explaining why I will make an effort to have the ability to be [near] anonymous online.

Image by Keoni Cabral, Creative Commons (CC BY 2.0) licence

Wednesday, 3 September 2014

Playing Ball

One morning the other week I had myself an opportunity to watch children at play.
Proceedings started early, before the start of a school day. A young child was playing hand tennis, for lack of a better word, with his mother and a bouncy plastic ball. The two were enjoying themselves in a relaxed manner, trying to maintain continuous play as the ball moved from one to the other.
After several such minutes a group of other kids approached, and they wanted their go. The mother retired to let them take their turn. Immediately, and without saying a word, the goal of the game changed: instead of keeping things running, the goal turned into smashing the ball as hard as possible and as quickly as possible so as to prevent the other player from hitting it. Instead of a variation of catch, the kids were now playing something closer to real tennis.

I could not avoid reminiscing about my own time at the playground. Back at those days, the days before we had much in the way of the modern day alternatives – computers and TV – the only real alternative to outdoor play was book reading. Which meant that I read a lot and played a lot.
Perhaps due to that lack of alternatives, ball games were managed through some unwritten contract that dictated, by force of mutual benefit, that the main objective of the game is to keep on playing. Games were thus quite open and inclusive of those who did not handle a ball as well as others. More interestingly, given my contemporary observations, the competitive edge of the game was generally absent. Sure, we kept scores and all, but it wasn’t about winning; when the main objective is to keep on playing one has to ensure the other players receive constant motivation to play.
I do wonder, though, whether this difference in play style is solely a result of modern times’ excessive stimulation and overabundance of entertainment alternatives. Could it also be a cultural thing, too?
I cannot claim to have much in the way of evidence on this matter. However, I do wonder – aloud – whether that essence of what being Australian is all about has its say here. Sports is a major part of Australian culture, and right beside it are competitiveness and winner-ism. If one grows up to learn that the main goal is not to win or beat your opponent but rather to thrash them, then by default thrashing becomes the core objective of gameplay. To use a pub, it is the name of the game.
It would be interesting to observe contemporary kids in less sports obsessive countries as they play with a ball. For now, though, I will note the rather sad nature of modern gameplay between Australian males of primary school age and hold it against Aussie culture.

Image by Pascal, Creative Commons (CC BY 2.0) licence