gdp's Comments

Naked Security : Apple's iCloud iConundrum - does convenience mean insecurity?

Sun, 27 Oct 2013 01:13:56 +0000

It is my understanding that Keychains is protected by the 2-factor option. I haven't test it though as 2-factor is not available to Canadian Apple customers. I guess we don't deserve protection, seeing as we are all not-American and all. I certainly wouldn't back up my phone or store my documents on iCloud, but it really is a personal decision. The researcher who delivered the talk states he still uses iCloud, he just hopes that by pointing out its flaws Apple will fix their errors. I doubt it will work. Apple customers aren't much for holding Apple accountable for its questionable security practices.

Naked Security : Security begins at home - how to do a "back to basics" security overhaul on your family network

Wed, 23 Oct 2013 18:08:21 +0000

That is true Phil. Fortunately in Windows 8 it is also available in the Pro edition. Windows 8.1 was just released this week and it also supports encryption, by default even, if your hardware meets certain onerous specs. While that currently means it will only work for about 5 or 10 models of computer that are available, moving forward manufacturers will begin meeting Microsoft's new specifications and be able to take advantage of encryption at no extra charge. I don't have the full list of requirements handy, but the system must support Secure Boot, have a TPM version 2 or higher and contain memory chips soldered onto the motherboard. Quite stringent specs!

Naked Security : Twitter introducing new direct message options - to combat spam or invite more?

Thu, 17 Oct 2013 21:19:00 +0000

Thanks for trying this. I was working off of other media reports. So you don't follow any of these other accounts? Do they all have the feature enabled?

Naked Security : Twitter introducing new direct message options - to combat spam or invite more?

Thu, 17 Oct 2013 16:19:42 +0000

The screenshot is an example from Skype showing that they had to implement the option of not receiving anonymous private messages because of the quantity of abuse. Sorry for any confusion. I don't imagine this would impact email addresses being sent. cw

Naked Security : Oracle releases 127 security fixes, 51 for Java alone

Wed, 16 Oct 2013 17:08:24 +0000

Correct. That will work from bash on Linux and OS X as well. Many of our readers are not comfortable with the command line, so I try to avoid using it in my advice. The point of #1 is that if Java is NOT installed in your browser, than all is well. You don't need to check the version, you are already safe.

Naked Security : How to remove your face from Google's upcoming Shared Endorsement ads

Tue, 15 Oct 2013 23:35:38 +0000

Sort of. It depends on what country you are in. It appears that only US accounts are opted in by default. I have confirmed with users in the UK, Canada and Germany that it is unchecked. It is also possible it is based on other privacy preferences you may have set previously. I had opted out of Google ad tracking, and the others I checked with may have as well. The current best theory is that it is only launching on by default in the United States.

Naked Security : D-Link router flaw lets anyone login through "Joel's Backdoor"

Tue, 15 Oct 2013 23:33:08 +0000

Be sure the admin interface only listens on the inside (see screenshot), be sure your WiFi is secured and update the firmware once DLink makes a fixed version available.

Naked Security : Oracle Java fails at security in new and creative ways

Tue, 17 Sep 2013 19:37:42 +0000

Most likely no Kim. There is another technology called JavaScript which is vital for most web pages to work. Java is not related to JavaScript, despite the name. The only mainstream thing I am aware of that requires Java is the game Minecraft.

Naked Security : Oracle Java fails at security in new and creative ways

Tue, 17 Sep 2013 19:36:42 +0000

It all depends on versions and what you consider support. There are more details here: www.oracle.com/technetwork/java/eol-135779.html

Naked Security : Secure Google Docs email results in mailbox compromise

Thu, 12 Sep 2013 20:02:07 +0000

Immediately change your Google password is about all you can do. And be sure to enable 2-step verification with Google. You can use an SMS code or the Google Authenticator app on iOS and Android as a required second factor when logging into you Google account to discourage phishers from attempting to victimize you again.

Naked Security : Syrian Electronic Army brings down Twitter and The New York Times through domain name provider hack

Thu, 29 Aug 2013 03:18:55 +0000

It appears there has still been some shenanigans happening throughout the week. All that is clear is that Melbourne IT don't seem to have everything under control properly. Although I can get to the Times website, I still see a Syrian Electronic Army IP in their WHOIS data: Server Name: NYTIMES.COM IP Address: 141.105.64.37 Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE Whois Server: whois.melbourneit.com Referral URL: http://www.melbourneit.com

Naked Security : Syrian Electronic Army brings down Twitter and The New York Times through domain name provider hack

Wed, 28 Aug 2013 18:36:37 +0000

They were well and truly owned by the sound of it. If your records weren't altered (and they likely were not, you were not the target) you are probably fine. It would be prudent to change your login details just in case a password database was stolen. The bigger issue is why an organization like Melbourne is not using two-factor authentication for critical management tools. Might be a question worth asking them.

Naked Security : Some US states strengthen data breach notification laws, others ignore them

Thu, 11 Jul 2013 17:30:02 +0000

I don't agree that Michigan Cancer is not a covered entity. I also believe that the intent of the law is more important than the letter. The public acknowledgment of this breach is important for residents to see how the state is handing their information (handing it to third parties who apparently have no obligation to protect it). What use does Michigan Cancer have for my social security number? Are they providing benefits? Are they responsible for taxation? Why is the state handing sensitive health records and personal information to non-governmental entities? Were patients informed beforehand? If the state is authorized to do so, shouldn't they require the third party to protect the information being shared? If the third party fails to meet minimum standards for data protection, is it not the state's responsibility as well? To determine Lansing's culpability we need honest and open information and dialog.

Naked Security : Anatomy of a pseudorandom number generator - visualising Cryptocat's buggy PRNG

Tue, 9 Jul 2013 01:53:49 +0000

It isn't often I am enlightened and entertained and even less often that I get to the end of a 1400+ word blog post and feel happier for it. It's clear that it wasn't by chance and should be even more apparent by my public commentary. I don't hand out public praise, even for friends, very often. Thanks for the excellent article Duck. Chester

Naked Security : Social media privacy explained - In plain English

Wed, 29 May 2013 19:05:42 +0000

It isn't so much "asked of social networks". They analyzed the legal documents provided by the networks to answer the questions. It is my understanding that this is not coloured by the networks themselves, but purely what the privacy policies actually mean.

Naked Security : Facebook Home - Great if you think privacy is dead

Sun, 14 Apr 2013 19:22:13 +0000

Not that I am aware of

Naked Security : Massive DDoS attack against anti-spam provider impacts millions of internet users

Wed, 3 Apr 2013 02:25:12 +0000

There are many things that can be done aside from only responding to queries from within your address space such as rate-limiting. It remains unclear what the Googles, OpenDNSs and root name server operators will do to avoid abuse.

Naked Security : Massive DDoS attack against anti-spam provider impacts millions of internet users

Wed, 3 Apr 2013 02:23:00 +0000

Consider the source. While most internet users were not impacted (at least those outside of the UK and Europe), that doesn't make facts into fiction. I personally had issues communicating with our UK office a week and a half ago and while I cannot prove it was because of this attack, all signs point to that being the case. We usually don't comment on stories that appear to be a PR grab by other companies, but too many people were involved in this for it to be a scam.

Naked Security : Massive DDoS attack against anti-spam provider impacts millions of internet users

Wed, 3 Apr 2013 02:20:37 +0000

It is not a scam. Consider who you are hearing things from and decide for yourself.

Naked Security : Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole...

Mon, 4 Feb 2013 03:58:03 +0000

As if Oracle's crazy scheduled patching isn't oddly random enough. Thanks Duck. I suppose since most people can't figure out when Oracle is supposed to release fixes there is no harm in it being early/off schedule.