SpiderOak’s canary

I used SpiderOak for a while a couple of years ago, and liked it, but not enough to pay for it. When they stopped offering their free tier I went back to Dropbox. SpiderOak said they encrypted everything, but that wasn’t important to me and I didn’t rely on it. In any case I’m not going to trust any encryption product that isn’t open source. More, I don’t trust anything I don’t understand, which in practice limits me to the Imelda’s-shoes protocol. SpiderOak said they were committed to having everything open source eventually, but they seem not to have got there yet.

Now it seems SpiderOak’s Warrant Canary Died. They say it didn’t really die, but that they changed to a transparency report or something. As far as I can tell, that means either that they accidentally killed their canary, and so don’t rely on SpiderOak for encrypted file storage, or that the canary functioned as designed, and so don’t rely on SpiderOak for encrypted file storage.

Again, SpiderOak worked fine for me when I used it, and there’s no reason I know to trust them less than Dropbox; but there’s no reason to trust them any more than Dropbox either.

Firefox and Tor security tweak

Look-Alike Domains and Visual Confusion

The suggested fix for Tor and Firefox: “If you’re a Firefox user and would like Firefox to always render IDNs as their punycode equivalent when displayed in the browser address bar, type ‘about:config’ without the quotes into a Firefox address bar. Then in the ‘search:’ box type ‘punycode,’ and you should see one or two options there. The one you want is called ‘network.IDN_show_punycode.’ By default, it is set to ‘false’; double-clicking that entry should change that setting to ‘true.'”

The same fix worked for Palemoon, which I’m using right now.

Speaking of criminals

In this paragraph from The Trivium, the topic is ambiguity:

“Telephone books add addresses, empirical descriptions, to proper names in an effort to make them unambiguous in their reference. The identification cards of criminals are attempts to make a proper name unambiguous by supplementing it with an empirical description, a photograph, and fingerprints, which are regarded as unique in the truest sense of the word, because no two are exactly alike.”

Would anyone today assume identification cards were for criminals?

It reminds me of King David’s census, in chapter 21 of First Chronicles.

Identifying leakers

by invisibly fingerprinting text with zero-width characters.

In the example at the link, the zero-width characters don’t show up in Windows notepad or in the html source; they are (at least some are…) visible when the example is pasted into Vim.

Equifax hacked

Breach at Equifax May Impact 143M Americans

Equifax Breach Response Turns Dumpster Fire

Lots to read, but it’s necessary to do so before you do anything. For instance, there seems to be no point and some risk just in checking the site Equifax put up to see if your information has been compromised.

UPDATE: The title of this post, “Equifax hacked,” might be a bit misleading. I don’t know exactly what happened in this case. Consider a hypothetical. If Japanese agents killed the guards, drilled into Colonel Blimp’s safe, and made their getaway in an ultra-light helicopter they assembled from parts they carried in, then the Post could report “Japanese Agents Steal War Plans.” If Colonel Blimp left the war plans at McDonald’s, and an opportunistic thief picked them up and sold them to the Japanese, the Post wouldn’t say “Japanese Agents Steal War Plans.”

Google’s moral imperatives

What are they?

Airbnb canceled the accounts of people Nazis attending the recent rally in Charlotte. Twitter and Facebook regularly shut down the accounts of the more odious haters. Will Google do less? They scan users’ email to identify people interested in, say, Ford trucks; surely they can scan to spot white supremacists.

Current law might not let them publish contact information and probable employers (though they might be able to share information with selected NGOs); but it does seem like Google would feel obliged at least to close the accounts of people whose email or blogging clearly shows they are white supremacists, racists, misogynists, homophobes, Islamophobes, or transphobes. Twitter can do that, and does. Fascists, white supremacists, and Nazis shouldn’t be allowed to legitimize their hate with a gmail address or Blogger account. Isn’t Google, famously not evil, obliged to use at a minimum all legal means to resist evil?

Until we know more clearly what Google sees as their moral obligations, it might be better to look elsewhere for web searches and email.

UPDATE 19 August 2017: ProPublica, Working with Google to ‘Document Hate,’ Threatens Conservative Bloggers. The perenial challange of satire is to stay ahead of reality.


Virtual private network

It’s been in the news that President Trump is to sign a law rolling back a recent privacy regulation:

“As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.” — Post-FCC Privacy Rules, Should You VPN?, by Brian Krebs

So people are thinking about using a virtual private network to have more privacy. The linked article is the thing to read about VPNs.