As I mentioned in my D-STAR post, I have been recently getting into amateur radio. This has led to viewing many posts on many different related forums where the users use their call signs as their username. For most people in the ham radio community, their call sign is a symbol of pride. Pride in their community and pride in their hobby. This also extends to their cars as well. Now, I was going to post an image of someone’s licence plate here and demonstrate why it is a bad idea to put their call sign on it; however, I cannot, in good conscious do that to someone without their permission. Even if the copyright of the image allowed me to repost the image, the image is freely available, and the information that I am using is publicly available and legal to use, I still have issues with the violation of privacy involved in it.
So instead, I am going to ask you to imagine a license plate with the letters K2GXT on it. This license plate is on a car. You recognize the symbol on the license plate as the amateur radio symbol, and the car looks like a porcupine. This car just cut you off and you want to know who was driving it. Now it used to be that you could perform a simple Google search and find the information that you are looking for, but thankfully it is not as easy any more. First go to the FCC Universal Licensing System page. Then, click on the search for license button in the middle of the page, type in “K2GXT”, and presto you get the license information for call sign K2GXT. This page lists the full name of the person who’s car that was, as well as their home address.
There is one plus side to having one of these plates: It classifies your car as an emergency vehicle in New York. What does this get you? Not much more that the ability to enter a place in communications emergency without having to show additional credentials.
(P.S.- Just so that it is known, K2GXT is the call sign for the amateur radio club here at RIT. I figured it would be the safest call sign to use as an example (as well as some free publicity).)
Recently, I have been getting into amateur radio (ham radio) and have been learning about the different methods of transmitting data using these radios. One of these methods is called D-STAR. D-STAR allows the transfer of files and other data. Most importantly, however, is that it can be used for accessing the internet. For speeds of about dial-up, a person who has their amateur radio licence can get the internet out in the middle of nowhere with out any cell phone signal.
However, this D-STAR has some major issues. Mostly these issues are caused by the restrictions placed on transmissions sent over amateur radio. One of these restrictions is the prohibition of the transfer of ads. The FCC has made it quite clear that they do not approve of ads on amateur radio frequencies. This severally limits the sites that one can access over a D-STAR system. The other restriction that is placed on the amateur frequencies is the prohibition on encrypted messages. This means no SSL/TLS encrypted websites, no VPNs, no SSH, or any other form of encrypted data transfer. All data must be transmitted in plain text over a publicly documented medium. Security wise, this is a nightmare.
Personally, I understand the reason that the FCC has put these restrictions on. Amateur radio is ment to be for everyone to use equally and to be shared equally. If someone was to start using this privilege for what ever they wanted to, the frequencies would be completely filled up and there would be no useful transfer of information.
These days, every cell phone has a GPS (Global Positioning System) chip in it. Everywhere we go, we have the possibility of being tracked using this device. Some phones have the option of turning their GPS off but when you do, you must ask yourself “Is it really turned off? At any time could it be reenabled?” However, there are some upsides to this feature. If you are unable to talk on the phone when you need help, you can just dial 911 and someone will come and find you.
A question for us all: Is this feature of calling 911 and getting help when not being able to speak worth the security risks?
The first time that I heard about Dead Drops, I was intrigued by the idea behind them. Offline public file sharing using USB thumb drives that were built into buildings; but then I realized how bad this idea is from a security stand point. Auto run scripts, viruses with images in them, etc. could very easily be planted in these thumb drives and then installed on an unsuspecting machine. The faq page at deaddrops.com suggests to use a virtual machine to read the drive, but even then it is not always easy to tell whether or not the USB port is directly sent to the virtual machine or if the data first gets sent to the host OS. If the latter, this is not any more secure than no virtual machine. Another option is to use a machine that is dedicated to connecting to Dead Drops. This works as long as it stays dedicated to Dead Drops. Even then though, if the Dead Drop isn’t actually a real Dead Drop and is actually connected to 110v wall power (for example), good luck trying to fix your computer.
[EDIT: After I posted this I was checking xkcd and the current one is relevant-
Image above credited to Aram Bartholl (Creative Commons By-NC-ND).
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both very important to the security of the internet. They are the protocols that encrypt any secure connection between you and the server.
When you connect to the server, a “handshaking” process begins. The first step is that the server sends you its identity certificate and public key, then it asks for the same from the client. The client then responds with its public key and verifies the server’s identity certificate with the certificate authority that created it. Once this has been successfully completed, the connection can now be encrypted.
If those steps are not completed, the client can not trust the server and closes the connection.
Secure passwords are an issue that internet users face everyday. Every time you sign up on a new website, you are asked to use a password for your login. You look around you, making sure the resident computer security expert doesn’t see you, and you type in that one password that you use for every other site. You justify the use of that password by saying, “It’s a secure password: it contains more then 10 characters, some upper case, some lower case, some numbers, and a symbol” (which doesn’t actually guarantee a secure password).
“So what is a secure password?” you ask. Simply put, a secure password is one that is somewhat long, easy to remember, and only told to people or websites that you trust. The last one is the key. It is very simple to create a website that has the sole purpose of harvesting passwords from users. A website that promises, and maybe delivers, a service that the user would find useful. The user signs up for it, and puts in their password, and usually email address as well, and now the admins of that website have your email login and, if the password is the same, your email password. The website admin could also try and use the combination on Facebook, Twitter, banking sites, etc. and see what information, and possibly money, they can get.
So next time you sign up for a website, ask yourself “Do I trust the admins of this site with the ability to read my email? Change my Facebook page? Post on my Twitter account?”. If you answered yes then by all means use the same password as those other services; but, if you answered no, do yourself a favor and use a new password.