18 April 2010

Cyberspace May 2010


Passwords are a hassle. I use a password manager that has over 300 combinations of usernames, passwords and other details. There's no chance I could remember all that, so I have two alternatives - use a password manager like LastPass or RoboForm, or just use two or three combinations for all of them.

What's wrong with using just a couple of different usernames and passwords? Well, this week I received an email from Atlassian, a software developer, with whom I have an account. Atlassian had a security breach which exposed the passwords for a proportion of their customers. This raised two issues: (1) the passwords shouldn't have been stored unencrypted anyway, and (2) if I was the hacker I would try the same username and password combination from Atlassian at HotMail, Gmail, FaceBook, MySpace and every other popular web site. I bet the hacker will successfully log in in many cases.

The only real answer to this problem is to use a password manager. I can recommend both that I've mentioned, and they both have iPhone clients as well.


One of the interesting sequels to the film studio's recent unsuccessful action against iiNet is that some ISPs have changed the way they deal with infringement notices from reputable copyright management agencies. In the past Exetel has passed on any notices that they've received and blocked the user's acess until they acknowledge "they have received the infringement notice and either complied with it or denied the allegation." Exetel has notified its customers that it will continue to forward any notices, but will no longer take any other action.

Secure connections

You use an encrypted connection known as SSL whenever you connect to your bank or other secure site - you can recognise it because the address starts with https. SSL relies on the bank having a valid certificate certifying that the bank web site really does belong to that bank, and which is recognised by your browser. These certificates are issued by certain organisations, and web browser manufacturers choose to 'trust' these issuers. These 'root' issuers can also choose to trust other issuers, so that these intermediate issuers are effectively trusted completely as well. Firefox trusts well-known issuers such as VeriSign and Wells Fargo, but Windows and thus Internet Explorer also trusts the Hongkong Post Office, AAA Certificate Services, and AC RAIZ DNIE. Who are these organisations and why should I trust them?

A recent paper by C Soghoian and S Stamm (http://files.cloudprivacy.net/ssl-mitm.pdf) paints a scenario in which "government agences may compel a certificate authority to issue false SSL certificates... that can be used to covertly intercept... secure web-based communications." They go on to say that currently available products could be used in such as scenario. The authors have now released Certlock, an add-on to Firefox, which watches for changes in root certificates. Is this a real problem for us now? Probably not, but it does show that SSL is not the panacea we'd like to think it is.

Computer use policies

The New Jersey Supreme Court recently dealt with Stengart v. Loving Care Agency, Inc., No. A-16-09, holding that an employee who used her work computer to access her (web-based) Yahoo! email to contact her lawyers had 'reasonable expectation of privacy'. This was despite having a policy allowing workplace monitoring. This case has a few holes in it, since it involves a 'subjective' expectation of privacy. In this context this meant that the employee thought webmail did not leave content on the computer (it actually does), and she was communicating with her lawyers in relation to a workplace issue. There was apparently some ambiguity in the surveillance policy which led the court to say that she did not waive privilege, and that she was entitled to privacy because she took steps to use an apparently 'private' email system.

I don't think this is a great decision (unless the policy really was hopeless), but it's instructive for the next draft of your or your clients' reasonable computer use policy.