This Blog Is Not For Reading

A blog, just like any blog, only more so

Cryptography and Security Events in Kitchener-Waterloo

Posted by Bob Jonkman on 9th October 2013

The months of October and November are shaping up to have some great lectures and presentations on cryptography, security and privacy.

Sheet of paper, strips of paper

Keysigning materials

Yesterday started off with an informal keysigning at the KWLUG meeting. The presentation was on the Scratch programming environment, nothing to do with GnuPG/PGP or cryptography. But a few of us exchanged little slips of paper with our key fingerprints, verified that the name with the fingerprint matched the person we knew, signed the keys, and so improved our standing in the Web of Trust. I hope that this becomes a regular part of all KWLUG meetings. The more people that participate, the more confident we can be about the validity of keys we may not have verified ourselves.

Today I attended the first UofW CSClub lecture on Security and Privacy by Sarah Harvey. If you’ve been following the news about the Snowden revelations you’ll know why security and privacy is important. The room was full of computer science, math and cryptography students, so the discussions were deep and technical.

Sarah Harvey shows a slide of Edward Snowden

Sarah Harvey shows a slide of Edward Snowden

There was a vacancy in the November KWLUG meeting so I asked Sarah if she would repeat her lecture. Let’s see what the KWLUG bosses have to say

There are more CSClub lectures scheduled, check the schedule on the CSClub site.

M-209 cipher machine

KWCrypto logo, the M-209 cipher machine

I’ve volunteered to do a presentation on Encrypting E-mail with GnuPG, Thunderbird and Enigmail, followed by a formal keysigning. I’m developing the presentation notes and keysigning procedure on the KWCrypto Interest Group Wiki that was set up after the Kwartzlab keysigning party last year. Please join me on the Wiki and the mailing list — I’d appreciate the help.


Keysigning Materials picture taken by Bob Jonkman and released under a CC BYCreative Commons — Attribution — CC BY license.

M-209 cipher machine by Greg Goebel used under CC BY-SACreative Commons – Attribution-ShareAlike 2.0 Generic – CC BY-SA 2.0

Picture of Sarah Harvey taken by Laurel L. Russwurm and used under a CC BYCreative Commons — Attribution — CC BY license.

Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted in KWLUG, PGP/GPG, privacy, security | No Comments »

Why I’m an E-mail Luddite

Posted by Bob Jonkman on 2nd October 2013

Statue of a Luddite

Luddite Memorial, Liversedge

The pervasive expectation of HTML everywhere came to light in a recent e-mail exchange:

Him: Bob, have a look at this video: LOLcats at work

Me: Did you intend to send a link with that?

Him: Yes, here it is: LOLcats at work

Me: Sorry, still no link. Remember, I don’t receive HTML e-mail…

Him: Wut? I’ve never heard of someone not receiving HTML e-mail!

E-mail was never designed for HTML; it is intended to be a plain-text medium. HTML is merely cobbled on, and mail clients have no standard way to render HTML messages, resulting in different displays on different mail programs. Some mail programs, especially those run from the command line, can’t show HTML rendered messages at all.

Although I use a graphical mail client (Thunderbird), I choose to not display HTML for two reasons:

1) Security: HTML mail can have Javascript code or other objects embedded. That’s a great way to get virus infections on your computer. I don’t want any code running on my computer that I didn’t put there myself.

2) Privacy: HTML mail that links to external images allows the owner of those images to track your mail usage: When you open the mail, how often you open it, the location you open it at, what computer you’re using, and whether you forward it to others (and then, when they open the mail, how often, their location, &c).

Not to mention that HTML messages are far bigger than text messages, especially when the HTML contains embedded images, fonts, and other stuff. Now, that’s not such a big deal with fast connections, unlimited download caps, and cheap disk drives, but it will still make a difference on small-format devices like phones and watches.

That said, if you do send me HTML e-mail, be sure to embed any images or LOLcat videos. That way I can still view them as static attachments, without revealing when, where, and how often I view them.

For more info have a look at the Wikipedia article on HTML e-mail


You can send HTML e-mail to Bob Jonkman at

The Luddite Memorial, Liversedge by Tim Green is used under a CC-BYCreative Commons — Attribution 2.0 Generic — CC BY 2.0 license.

Tags: , , , , , , , , , , , , , , , , , ,
Posted in email, privacy, security | 1 Comment »

Google Spyware considered harmful

Posted by Bob Jonkman on 16th April 2012

Google wordmark in a "No" symbol

No Google

One day I was asked:

Hi IT Peeps,

I was wondering if I would cause major havoc if I downloaded google chrome? Will it mess anything up? Any recommendations?

My answer:

What problem are you trying to solve? What’s the question that gets answered “Install Google Chrome”?

Google the company is becoming ever more pervasive in our Internet lives. Google’s business is not providing a search engine for free; Google’s business is to sell our demographic information to advertisers. They gather that demographic data by luring us in with relevant search results, free e-mail and slick looking browsers.

Google collects personal information, including information that was voluntarily given to Google (for instance, by signing up for GMail or Google Plus; posting a video on YouTube), information that was collected anonymously (eg. when you perform a Google search or watch a YouTube video and Google records the search terms, your IP address, and leaves a cookie on your computer), and information that Google collected as it does its web indexing (comments you’ve left on a newspaper site, Tweets you’ve made, messages you’ve posted to public mailing lists). Google then correlates all this data based on IP address, cookies, e-mail addresses, your name, geo-location (finding out where you are based on your WiFi connection or IP address).

As of 1 March 2012 Google changed its privacy policies to combine data mining from all its holdings – the search engine, YouTube, Picasa, Google Maps, Google Plus, Google Mail, &c. I didn’t think too much of that, since I had thought that Google had always aggregated its data. According to an article I read[1] that’s actually a new development. Google used to keep all its data mining separate, in fact, kept it so separate that it didn’t even correlate its adwords between different messages in GMail. With the new privacy policy that’s all changed, and everything is now aggregated, correlated, and retained to be sold to the highest bidder. Google says we’ll never sell your personal information or share it without your permission, but you grant that permission every time you agree to the Terms of Service and Privacy Policies when you sign up for Google’s services.

Remember the Google Toolbar? Every search request, every URL, and every local file you opened in a browser with the Google toolbar installed was sent to the Google servers. There was a report of someone who opened confidential company documents with IE and the Google toolbar, only to find those reports cached on Google’s servers. Google Chrome is far more invasive than a mere toolbar.

Google Chrome does not have the same set of security-related add-ons that Firefox offers. For your best privacy protection and security, use Firefox with the NoScript, AdBlock Plus, HTTPS-Everywhere and Force-TLS extensions. See my article on Browser Security for details on installing and configuring them.

–Bob, who will be getting fitted for a new tinfoil hat at lunch…

Footnote 1: I wish I knew what article that was. To my recollection, the author said he wouldn’t trust Google with his data again. He had visited the Googleplex some years earlier, and was told how Google kept the data from its different projects in separate silos, so that profile aggregation was next to impossible. Data silos were so extensive that although one GMail message might trigger certain AdWords, there was no tracking between messages. I read the article in March of 2012; if you can provide me with a link let me know in the comments.

Update 8 Nov 2012: A similar quote about data silos from Google’s Vic Gundotra appears in the CNN article Google exec: We won’t break users’ trust.

Tags: , , , , , , , , , , , , ,
Posted in considered harmful, Google, Google Free, Internet, privacy | 2 Comments »

Browser Security

Posted by Bob Jonkman on 30th November 2011

Browser vulnerabilities are a common contributor to computer malware. Attacks have become so sophisticated that just viewing a Web page with an unsecured browser can infect your computer with malware. Fortunately, there are settings and extensions that will make surfing the Web a safer experience.

Browser selection

This article deals only with securing Mozilla Firefox. Firefox offers an wide selection of extensions that can help secure the browser. Google Chrome, Opera and Safari also offer some extensions, but I have not tested them. Microsoft Internet Explorer appears to support Add-ons, but Version 8 offers none for browsing security.

Internet Explorer is particularly vulnerable. In part, this is because IE is by far the most popular browser, and so it suffers the most attacks. Because it is the most popular browser it is especially targeted for attack by malusers. And compounding the problem, Microsoft has been slow to acknowledge vulnerabilities in its products, never mind fixing them.

Privacy settings

Privacy is not so much about keeping your personal information secret, but about keeping control over your personal information. If I choose to tell Facebook my name, age and browsing habits that’s OK, but my privacy is violated if Facebook finds out about my browsing habits if I don’t tell Facebook myself.

Malware is pretty good at correlating information when you least expect it. For example, you may keep your browsing history confidential, but allow Javascript to change the layout of your screen. To do so Javascript reads elements of the Document Object Model (DOM), including the colour of text. But if a link is coloured purple instead of blue, then Javascript can figure out that you’ve visited that link before, violating your privacy settings for browsing history.

To see your Firefox Privacy settings select Tools, Options and click the Privacy icon.

screenshot of Firefox Privacy dialogue

Settings for Firefox Privacy options

For maximum protection check Tell Web sites I do not want to be tracked and select Firefox will: Never remember history. But having to type in all your passwords and data every time you access the same web sites can be inconvenient, so I actually browse with the setting Firefox will: Use custom settings for history, leaving Always use private browsing mode unchecked. It is usually safe to have Accept cookies from sites turned on, with Accept third-party cookies turned off and Keep until: I close Firefox selected. Custom settings for Clear history when Firefox closes has only Cookies and Active Logins checked:

Screenshot of Clearing History dialoge

Firefox Clearing History

Security settings

To see Firefox Security settings select Tools, Options, then click on the Security icon.

Screenshot of the Security tab in Options

Screenshot - Firefox, Tools, Options, Security

For maximum security, make sure all the checkboxes are checked.

Warn me when sites try to install add-ons will avoid drive-by infections, which is when merely browsing a Web page with Javascript enabled can launch malicious processes. This will at least give you a warning.

Block reported attack sites and Block reported web forgeries do add some additional protection from malware sites, but potentially at some expense of your privacy. Every 30 minutes Firefox downloads a list of malware sites. If you browse to such a site then Firefox will check for that particular site immediately before blocking it. It uses Google’s malware list to do so, and will send Google’s cookies when checking.

You can test for phishing protection at the phishing test site and for malware protection at the malware test site.

Use a master password will encrypt the list of passwords stored on your computer. This is mostly useful if your computer should get stolen or left on the bus, but without the Master Password it might be possible for a malware site to retrieve your list of passwords through some (as yet unknown) vulnerability.

Security Extensions

Firefox’s extensive collection of extensions (Add-ons) make it my preferred browser.


NoScript prevents Javascript from executing on specific web sites.

Javascript determines the fourth characteristic of a web page (Content, Semantics, Presentation, Behaviour). A well-designed web site will degrade gracefully — if the browser cannot manage the page layout (Presentation), it should still be able to identify the components of a page such as paragraphs and headers (Semantics), and still show the Content. Even if the browser can’t identify a paragraph from a heading (Semantics), it should always show the content. Javascript is responsible for the behaviour of a page. This is what makes Google Maps’ slippy map work when you drag the mouse cursor across the page. That behaviour degrades gracefully, so that when you view Google Maps with Javascript disabled you can still see a static map. Sadly, many web sites today are designed so that Javascript is required to show the content. NoScript addresses this problem by selectively allowing you to enable Javascript for those sites that you trust.

NoScript has expanded its scope so that it now also checks for Cross-Site Scripting vulnerabilities, Application Boundary violations, and other esoteric security concerns.

Adblock Plus

Adblock Plus removes ads. That’s wonderful all by itself, but there’s more! When ads are blocked, you don’t waste any bandwidth downloading them. But there’s more! The hits from Web Bugs aren’t recorded and tracked. And blocked ads from third-party sites can no longer query third-party cookies, or enable cross-site scripting attacks.

When you install Adblock Plus you’ll be asked to subscribe to one of the pre-defined block lists. I usually choose EasyList or


ForceTLS requests an encrypted page (https) when the server supports it. The functionality is now built into Firefox directly, but ForceTLS still provides a handy dialogue box to add Web sites for servers that don’t automatically switch to https.

HTTPS Everywhere

HTTPS Everywhere forces a Web pages to use https, and can change the URL for those sites that use different URL paths for their secure content. HTTPS Everywhere only works for Web sites in its Preferences list:

Screenshot of HTTPS-Everywhere preferences

HTTPS-Everywhere preferences

HTTPS Everywhere is not maintained on the Mozilla Add-ons web site, so you have to download it from the EFF directly. Firefox will ask you to verify that you want to install an add-on from an unknown site. Click on the Allow button to install the HTTPS Everywhere add-on.

Installing the HTTPS-Everywhere extension in Firefox

Keeping Updated

Security is not a single solution to a single problem. It is a constantly evolving process that tries to keep up with constantly evolving attacks. It is important to keep everything up-to-date.

Updating the Browser

To ensure that the browser and all its extensions stay up-to-date check all the boxes on the Tools, Options, Advanced, Update screen:

Screenshot of the Firefox Update screen

Updating Firefox

Updating Extensions

To update the Firefox extensions select Tools, Add-ons, click on the Tools for all add-ons button, and make sure there is a check mark beside Update Add-ons Automatically. If there is no check mark then click on Update Add-ons Automatically, and you should also perform updates manually by selecting Check for Updates. If there are any updates a View all updates link will be displayed, click on it, then click on the Update now button for each add-on in the list.

Screenshot of the Firefox Add-ons Update button

Screenshot showing the 'Update' menu

Updating the Operating System

Finally, no amount of browser security will keep you safe if your operating system is not safe. Be sure to activate Windows Updates (or Linux Updates, or AppleMac Updates), and keep your Anti-virus software, firewall, spam filters and other security software up-to-date.


Tags: , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Internet, security | 3 Comments »

The Verdict on Google Plus: Mostly Harmless

Posted by Bob Jonkman on 13th October 2011

Don't Panic, They're Only Vogons

Don't Panic, They're Only Vogons by Patrick Hoesly

After dissing Google Plus I was persuaded to try it out for a while before rendering a verdict. So now it’s been over two months, and my verdict is: Mostly Harmless.

When I get home after a hard day of working with a computer, I sit down for a pleasant evening of relaxation with a computer. I read my e-mail, read the news, and read the microblogs. I subscribe to 55 people on, and I follow 84 people on Twitter. Those 139 people generate sufficient 140 character messages to keep me reading until bedtime and beyond.

But on my Google Plus account, I have 27 people in my circles. Those 27 people create a lot of large messages. In fact, they generate a lot more content than my 139 Identicats and Tweeple, since Google Plus puts no limit on the size of messages.

22 of the 27 people are in my Tech Circle. But instead of receiving only technical content from these people, they’re posting messages about vacations, favourite bands, philosophy, and yes, pictures of cats.  Now, this happens on the microblogs too, but on a microblog it’s limited to 140 characters, and I can ignore them.  On Google Plus the posts are much longer, have pictures attached, comments from other people, and those ubiquitous “John Q. Public originally shared this post” and “Click to +1 this post”.  Google Plus does not have the tools to filter messages by content, or even a method to collapse a conversation thread.

There’s no Atom/RSS feed, so I can’t use my preferred feed reader to analyze, sort and organize my Google Plus message stream. And I don’t know of any third-party applications to read, write and manage content on Google Plus. Google Plus does allow the export of all its content, under Account Settings, Data Liberation. Contact info is in the standard vCard format, suitable for importing into addressbooks.

Kudos to Google for giving users useful control of their data. Still, Google also has access to that data, and continues to collect ever more. In the past I’ve recommended Google Mail as a preferred no-cost e-mail host. Recently Google has taken to verifying new users by requiring them to supply a phone number. Google then sends a text message for the user to enter into the registration form. This is a level of data collection that I find creepy, and so I no longer recommend Google Mail.

Finally, to top it all off are the Google Nymwars. Much has been written about why Google’s policy of requiring real names is wrong-headed. Some people whom I might follow have stopped using Google Plus because of the nymwar controversy. I think I’ll be joining them in disdaining Google Plus.

  • Google Minus: Banality of user content (not Google’s fault)
  • Google Minus: Lack of management tools
  • Google Plus: User control over data
  • Google Minus: Google control over data
  • Google Minus: Nymwars

I think that Google Plus is not the Facebook Killer the folks in Mountain View want it to be.

The image 740 – Towel Day – Pattern by Patrick Hoesly is used under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) license.

Tags: , , , , , , , , , , , , , , , , ,
Posted in considered harmful, Google, Google Free, Microblogging, Social Media | No Comments »

Google Plus considered harmful

Posted by Bob Jonkman on 29th June 2011

Google Plus login screen, with errors

Google Plus Screenshot

Google Plus is available.

I won’t be using it. Google has too much of my data already.

For gushing, sycophantic reviews see Mashable and Techcrunch.

Update 8 July 2011: Someone pointed out that I should probably investigate Google Plus before dissing it, so I’m licking the Google salt block. There will another blog post with the results of this investigation… In the meantime, Circle Me!

Update: 13 October 2011: The Verdict on Google Plus: Mostly Harmless

Tags: , , , , , ,
Posted in considered harmful, Google, privacy | No Comments »

Better Tag Cloud