So how well are the TSA doing?

Back in 2012, Gallup released a poll that announced just over half of Americans were positive about the TSA. That, only being the opinions of regular people, needed to have a wee prod in the name of science. ABC News* reveals that the TSA keeps America safe 3 times in 70.

That’s despite having spent over $550 million in equipment and training since 2009–the last time they failed a review.

If these were the results of a child doing a school test, this would surely be indicative of a learning disability.

I think the only people that are truly sleeping well are the ones selling security scanner equipment. I imagine half a billion dollars in the bank buys a lot of peace of mind.

* Warning: Videos autoplay when you visit this site.


TLS and Not-Security

So there’s a really bad post on Ars Technica about TLS and email. Apparently TLS makes everyone more secure and increases everyone’s privacy.

Uh, no.

TLS encrypts the authentication and the connection so that your authentication details aren’t sniffed. This is especially important if you’re on an open network or using wifi.

But once it’s on the mail server, it’s sitting there in plain text.

TLS stands for TRANSPORT LAYER Security. That’s all it’s securing. The transport of your message to the one server you’re directly connected to. If they don’t use TLS at the other end to receive their mail, or if they are forwarding their mail to one or a dozen other offsite mailboxes, then it’s bought you nothing extra.

All you get with TLS is that people can’t sniff your password for that eighth of a second it takes you to connect to your mail server. That’s pretty much it.

Your shit password still needs changing though, because bruteforce password attempts on mail servers haven’t slowed down. And the odds of your password being your partner/pet/child’s name with an 01 appended to the end of it, are pretty high.

If you really want privacy and security, encrypt all your emails with PGP/GPG. Not just the sensitive ones, because you’re giving people a target. Encrypt everything. But PGP’s apparently too hard and most people refuse to take an extra step because of the inconvenience.

Contact Databases: It’s Not Just Facebook

Packetstorm has an article on the aftermath of the Facebook contact info leak. Short story is Facebook merge contact details for users from any source they can. And if you download your contact list, it will contain all the info about each contact that they can scrape from all the other Facebook users’ contact lists.

Yeah. Think about that for a bit.

But it’s not just Facebook. I haven’t tested the extent of this, but I have a GMail contact, who I’ll call Bob. Bob has a GMail address. In my address book, I have his email address, and the name field says “Bob”.

However, when I create an email, I start typing in Bob’s email address, and choose it from the list (which it matches from my contact list). The name that appears in the To: field? His mother-in-law. Which completely fucking threw me for a loop because I had no idea of her name before that. And it’s not his surname, so I was lost.

Turns out, he and his wife set up a Google+ account for her mother. But because said mother didn’t have an email account (or one they could access from where they were), they put in their own email address.

So now, every time I email them, regardless of what I have entered into my own contact list, GMail places the mother-in-law’s name in there. I can’t change this. It’s completely out of my control. It also means that if I CC them on a list, everybody will see the mother-in-law’s name.

This is not good security. This is not privacy. And this is just another example that Google are, in fact, now evil.

Is this an exaggeration on my part? Possibly, but not by much. I don’t trust them any more. I used to be a Google fanboy, but over the last few years my estimation of them has fallen drastically. Not as much as it has for the likes of Facebook, but no doubt, it’s just a matter of time.

We are no longer in control of our information. The only way to maintain privacy in this Too-Much-Information Age is to live off the grid. Not just off the Net, but real life too. Don’t have a phone, don’t have an email address, or someone, somewhere will add you to their contact list. And when they do, everyone else attached to that service knows your info too. Welcome to the Cloud.

When Facebook says “we care about your privacy,” they are lying. They don’t. Their entire business model revolves around your information and everything you do being as public as possible. If they were building a private social network, they wouldn’t have grown as large, they wouldn’t be making a tenth of what they do from ads, and social games would have flopped. It seems Google are in the same business now. Except Google also have access to all your search queries, cached copies of all your websites, all your emails if you use GMail, etc. Think you’re safe on Hotmail? They have a search engine, they have a web browser, they have a mail system, they have a community–well, several actually if you count their Xbox Live, which may have multiple incarnations–and more.

You have no control of your information. Partially, that’s why I run my own web server, and which is why I’m now posting all my rants on here rather than direct to a social network. If I post it on their site, I have no control over it. If I merely post a link to my blog, then my content remains intact and mine.

That PRISM thing you may have heard of? All they’d need to do would be to have access to Facebook, Google, Yahoo, and Microsoft, then they’ve got 95% of pretty much everything.

Heard the phrase “if you’re not paying for it, then you’re the product“? Yeah. That.