What’s good for the goose…

So Microsoft is being ordered to produce (C|Net, Ars Technica) email held aboard on computers outside of America at Microsoft’s Irish division in Dublin.

Let’s have a gander…

The logic being, a parent company / entity, doing business in the US, but storing client information overseas as part of a subsidiary’s business, because its physically closer to the subsidiary’s clients, still maintains control over that information and can be compelled to produce that information despite being physically outside the USA’s jurisdiction.

First that flies in the face of European privacy and data retention laws, and new laws, like in Russia, requiring that data of users be held on their home soil. If a government can compel a company to hand over any data the company has access to from any where in the world, then privacy and international borders mean nothing any more.

Second that argument will open American businesses with offices overseas to similar legal arguments in foreign countries. How would Americans feel about China issuing warrants for Microsoft user emails held in the US?

Or more interestingly, consider how the FBI (and CIA) have liaison offices around the globe, how would the US government feel about an FBI liaison office aboard being sued and issued a discovery order against computers they control on US soil?

postmaster@YOUR_DOMAIN_HERE

Hard to imagine I neglected to mention this before now, but two weeks ago I published and released my first book, «postmaster@YOUR_DOMAIN_HERE», at the M3AAWG Montreal Night Out. The book is essentially a primer and digest of topics of interest to new email administrators; a collection of topics they should be aware of when managing their email systems.

The contents are freely available online to new and experienced postmasters to consult and contribute. Visit The Postmaster Administration Wiki.

Update: The book is available from Amazon.

Foiling WordPress Login Attacks

The other day I read an article concerning attacks on WordPress wp-login.php. The solution was fairly simple, rename wp-login.php and all references to the the file within the WordPress software to an uncommon name. However this is cumbersome to do and maintain, and in addition you have to do this for some themes and plugins that make reference to wp-login.php.

I came up with an alternative and simpler solution. While not perfect (particularly if you have several blog authors), a simple work around to the problem is use a double-login by forcing HTTP authentication in the web browser for access to wp-login.php.

If you are using Apache, then within your blog’s <VirtualHost> block add:

<Files wp-login.php>
  AuthName "Blog Login Page"
  AuthUserFile "/path/to/blog/root/.htpasswd"
  AuthType Basic
  Require valid-user
</Files>

Then create a .htpasswd file, preferable with a different user name and password from the blog login. Voilà! Done!

Update:

Max Privacy, Min Tracking, Zero Pain

I absolutely hate online advertising, junk mail, and spam. More and more I rail against the intursion of advertising into every nook and cranny of our virtual and real lives. First it was ads in news print, magazines, radio, TV, billboards, flyers, t-shirts, sky writing, etc. Then the assult on our eye balls via Internet and mobile devices through web sites, news feeds, video clips, text messages, social media feeds, computer applications; its just appauling. Add into the mix the personal information gathered and data mining that make advertisers and governments drool, there has to be a line drawn somewhere and a push back by the public to say enough is enough. Big Brother can go frak himself.

Now I’ve been using the Internet for a long time, since university in the late 1980’s and BBS’ before that. So I have a long and established digital foot print, from free software offerings, newsgroup postings, programming contests, several domain names, a blog, twitter, and who knows what else. So finding out something about me and my past is not that hard if you know how to thread together the diverse information.

Still despite all that, I still endeavour to protect my online privacy with a good measure of success. Here is an outline the steps I’ve taken:

  • Use a browser that has good “cookie” management and a variety of add-ons, like Firefox. Chrome is a fast browser, has good cookie controls, and supports many of the add-ons available for Firefox, I have privacy concerns since it is built by Google and integrates into some of the very services that track you on-line. I’m less familiar with Opera.

  • Disable third-party cookie support. Also consider being prompted about every cookie request, or at the very least auto-delete them all when you close the browser, effectively forcing session only cookies.

    I typically block all cookies by default, making exceptions only when a site a really want to use requires them in order to function, especially all advert and metrics cookies. Sometimes this level of cookie management is only for the power-user, in which case accepting cookies and deleting (or adding exceptions) when the browsers exits is easier.

  • Enable the “Do Not Track” option supported by many browsers.

  • In Firefox visit the about:config, find the option network.http.sendRefererHeader, and set the value to zero (0).

  • Install Adblock Plus available for Firefox, Chrome, Opera, and Android.

  • For Firefox, install Beef Taco for enabling tracking advertising cookie opt-out (TACO).

  • Install the DoNotTrackMe browser add-on. Similar to Beef Taco, but more widely available and covers other tracking methods.

  • Purchase a one-time consumer license and install MalwareBytes Anti-malware Pro with on-access protection enabled. I’ve found this software to be superior, faster, and more accurate than all the anti-virus products I’ve used in the past. It also blocks access to suspicious IP addresses by applications. Firefox and Chrome have a similar built facility, but MailwareBytes does it for all the other network applications.

  • For the power-users, learning how to edit and use /etc/hosts (Unix) or C:\Windows\System32\drivers\etc\hosts (Windows) to block advertising sites. Similar to what the add-ons do, but applicable to all network applications. I’ve used it to block advertising in AIM, ICQ, and Skype at a minimum. Essentially you find out the hostname of an advert service and add it to the hosts list with an IP address of 127.0.0.1, which redirects those advert requests to locahost (your computer), which then go unanswered.

Update:

  • Firefox now defaults to secure Google searches over SSL using https://www.google.com/. However your search terms can still “bleed through” to web sites you click on from the results. This can be fixed by copying (assuming Windows):

    C:\Program Files\Mozilla Firefox\searchplugins\google.xml

    to your personal profile:

    C:\Users\$USER_NAME\AppData\Roaming\Mozilla\Firefox\Profiles\$MAGIC_STRING.default\searchplugins\google_encrypted.xml

    Then edit the google_encrypted.xml file and replace www.google.com every where with encrypted.google.com. Also change:

    <ShortName>Google</ShortName>

    to:

    <ShortName>GoogleSec</ShortName>

    Restart Firefox and make GoogleSec your default search engine (click the drop-list beside the search logo and select “Manage Search Engines”.

  • Its unclear why Google Chrome does not use SSL searches by default, but a similar change can be made in Chrome. Simply go to Settings > Manage Search Engines, click on the Google URL template, change http://www.google.com to https://encrypted.google.com, and click DONE.