Working in the computer industry, I’m frequently asked by friends and family to have a look at problematic Windows machines. (I’m asked for help with regard to getting the bum machine back up and running, but my advice to investigate alternatives to Windows is almost never followed. But that’s another post altogether….)

Sometimes, in the course of working on these machines, the subject of information security will come up. Usually, this is the result of a conversation on wireless APs and the inherent risk in simply opening the box and plugging it in. Since a technical explanation on the dangers of plaintext protocols going over the air would be lost on most, I’ll fall back to today’s killer app, email. The gist of the message is this: “Guess what? Email ain’t private!”

To elaborate, email is a plaintext communication medium. This means that as the data stream is broken down to it most basic bits and bytes by the computers actually moving the message from place to place, it isn’t encrypted or otherwise obfuscated in any way. Back when the architects of the “interweb” were putting this thing together, privacy and security weren’t taken into account, the priorities were elsewhere. Why, do you ask?? Simply because it was a different day and age. So-called hackers and crackers weren’t an issue at the time. Times have changed, there’s no doubt, but for the most part SMTP (the protocol that moves email) has not.

Anyway, the reason I began this post is because I ran across an article which says that a recent study shows that a third of employers in the US and UK read their employees’ email. Think about that for a sec. I know people who use their workplace email address for the bulk of their correspondence with friends and family. If the study is accurate, this means 1 of every 3 of these people has this email read by someone other than the intended recipient! Email ain’t private, folks.

From the article:

“It is not something that is broadcast,” Steele said. “There are organizations where employees think they can say whatever they want to say and nobody is going to read it.”

My wife once worked for an employer who actively read company email. She casually mentioned to me one day the sorts of things that were being sent back and forth via intra-company email. I cautioned her that someone was likely looking at it. She immediately ceased to participate in these email threads. About six months later, the worst perpetrators were called into an office at the end of the day and fired. Granted, they were fired for the sheer bulk of the email; the time wasted on email was lost productivity for the employer. The lesson learned remains the same: email ain’t private.

One point of clarification: I’m not bashing employers. I believe they have the right to monitor communications, be they phone or email, for the purposes of mitigating losses due to lost productivity, neglect or corporate espionage. The phones belong to them, the network belongs to them and, like it or not, you, as a resource, belong to them for 8 hrs (or more) a day. Your time is valuable and you trade it every day for a paycheck. As long as employees are notified that they’re being monitored (did you read the forms you signed in HR when you were hired??), then employers are very much within their rights to protect themselves in these ways.

The point of this post was to make you aware this is going on. Like I said, people are usually very surprised when I explain how this works.

Considers yourselves warned.

I’m going to start posting configuration notes here on my blog, mostly because I’m getting old and am forgetting things more and more lately. If anyone else finds them useful, that’s cool too.

Each time I install an Ubuntu box, I find myself reinstalling the same sets of packages. Some of these are security-specific, and some are simply there to make my desktop a bit more usable. I’ll add to these as I install them. Hopefully, in time, I’ll have a list of packages I can reference to quickly get a machine to a usable state.

• nmap
• tcpdump
• tcpflow
• ethereal
• tethereal
• minicom
• screen
• msttcorefonts
• gsfonts-x11
• remind

Use the following in a terminal to grab all the packages listed above (and their dependencies):

apt-get install nmap tcpdump tcpflow ethereal tethereal minicom screen msttcorefonts gsfonts-x11 remind

I’m composing this blog entry from the Mozilla-based social browser called Flock. If you’re into blogging or Flickr at all, you may want to have a peek.

As I was trying to clean my desk up a little bit, I came across an unmarked CD, which as it turns out is a burned copy of the Kubuntu 5.10 Release Candidate.

After mounting the CD, apparently Ubuntu autodetects the fact that it is an Ubuntu cdrom and offers to either launch the package manager (for easy package installation) or auto-upgrade your current system.

I’ve never noticed this before because I typically keep my system up to date with incessant ‘apt-get upgrade’ or dist-upgrades. But I can certainly appreciate Ubuntu’s attempt at making upgrades that much easier for those users who are either less technically inclined or simply don’t have the bandwidth to support over-the-network upgrades.

I found an option to publish an RSS feed from my Photo Gallery.

If you aren’t a geek, you probably don’t give a damn. But if you’re into RSS, plug this url (http://pics.rodrig.com/rss.php) into your RSS reader for a quick painless way to check for new photos.

Kudos to the developers of this great, free software.

I’m trying to clean up a bit downstairs in my dungeon tonight. I’ll be moving my IBM Netfinity 5000 into my network rack. The thing is a monster, so in order to get it where I want it I have to shut down the server which hosts this site and a couple others.

It shouldn’t take long. Wish me luck!

Patch your machine.

Now.

I killed my mailserver for a short while this morning.

I was doing some maintenance and I made a change which I neglected to sanity check. Even worse, I didn’t verify that mail was up and running afterward. Naturally, it wasn’t. All mail to rodrig.com was immediately bounced back to sender for about three hours. If you sent something during this window and it was returned to you, please resend.

There may be some more downtime while I continue to iron this out, but not for nearly as long. Trust me, I won’t make that mistake again.

Have you heard of RFID tags, yet? If so, you may want to read this article from The Nation. Haven’t heard of RFID tags? Then you’ll *definitely* want to check it out.

I’m a little hesitant when it comes to RFID for the same reason everyone else is: Privacy. I’m not terribly optimistic that in this day and age we’ll use this technology responsibly. Think about it. Today, we fingerprint people coming into the country. Tomorrow, what’s to stop us from requiring them to carry an RFID-enabled identity card at all times. Just because it wouldn’t apply to you or me doesn’t mean it’s not important.

What amazes me is the reaction, or lack thereof, I encounter when this topic comes up in conversation. There are so many conspiracy theorists out there, but when this real-world potential for abuse is pointed out they’ll just sort of roll their eyes.

And, by the way, if you’re not convinced that this will affect us very soon, realize that some huge retailers are pushing for RFID in *everything*.
When was the last time you shopped at Walmart??

I’ve added three (count ‘em, three) new photo albums. Check them out in the Photo Gallery.

Or jump straight to them below:
Xmas 2003
Ice Skating!
New Years 2004 - Montreal, Canada