da Agency

Here’s How To Protect Your Privacy In Trump’s America

Gregor Cresnar / The Noun Project / Getty / Chip Somodevilla

You’d think texts to your mom and calls to your takeout place are hardly in the government’s interest, but the feds might be monitoring your communications anyway. Sweeping government surveillance programs have grown in recent years – and some digital privacy advocates believe that civilian snooping will continue to expand under President Trump’s watch.

In the first half of 2016, government requests for Facebook account data were up 27% from the previous year, while requests for Google user data in the same period hit a record high of 44,943. The country that submitted the most requests to both of those sites? The United States.

Both presidents Bush and Obama supported domestic surveillance, and experts are concerned that the Trump administration will only strengthen that authority. According to Jay Stanley, a senior policy analyst at the American Civil Liberties Union, “There are extra reasons to worry under a Trump administration based on things he has supported.”

Trump has specifically called for the monitoring of mosques and activist groups like Black Lives Matter. He has also supported the reauthorization of NSA’s data collection program, which was discontinued in June 2015.

So, if you’re feeling, er, unnerved, here’s how to protect your information not only from Uncle Sam, but from hackers and prying corporations, too.

When you’re looking for tools to protect your privacy, there are many aspects to consider, but here are three important ones, according to the Electronic Frontier Foundation’s Noah Swartz:

1. Is the program open source? This allows other engineers to verify that its code is kept up to date, and that its encryption and privacy settings retain strong encryption and best practices.

2. Where is the data stored? Is it on someone else’s servers? In that case, find out who has the encryption keys.

3. Does it make promises that are too good to be true? Steer clear of vague language.

Hackers find security vulnerabilities all the time, so nothing is 100% bulletproof. That’s why it’s important to update your personal technology frequently, create strong passwords, and change those passwords often.

The word encryption is thrown around a lot when you’re looking for secure apps and services. Here’s what it means: When a message sent to you is encrypted, the message looks like gibberish to anyone except you and the sender. It’s a complex algorithm that ensures the message can’t be intercepted by your internet provider or your data carrier.

The most common way apps use encryption is in transit, when the message is traveling through Internet cables or bouncing between cell towers. If you’re looking for a platform that’s truly secure, it should offer what’s called end-to-end encryption, which means that it’s encrypted all the way, as it travels between “ends”: when it leaves the sender’s device, when it hits the platform’s servers, and when it arrives at the recipient’s device.

But, ultimately, end-to-end encryption doesn’t matter if an unauthorized person can easily get into one of those “ends” AKA your phone, computer, or accounts. Encryption is only as secure as your personal devices, so here are the most ~*basic*~ security measures you can, and should, take:

Add a passcode, dummy!

You wouldn’t leave your bike unlocked on the street, would you? At the very least, add a numeric code to your phone. (Pro-tip: don’t use “1234” or “0000.”) For those who want to be *super* secure, add a passcode with both numbers and letters, or an alphanumeric code.

For now, police can’t compel you to give up your passcode, but they can force you to use your fingerprint. So be wary of Touch ID, Pixel Imprint, and other fingerprint unlock features that are convenient, but may compromise your security.

In iOS, go to Settings > Touch ID & Passcode > Change Passcode > tap Passcode Options > Custom Alphanumeric Code.

In Android, go to Settings > under Personal, tap Security > Screen lock > PIN or Password. Additionally, encrypt your phone from the Security page (iPhones are encrypted by default).

Nicole Nguyen / BuzzFeed News

On your computer, add a login password and encrypt your computer’s hard drive.

On the Mac, go to System Preferences > Security & Privacy and set to Require a password for a certain time after sleep. Then move to the FileVault tab to turn on encryption. Don’t forget your FileVault recovery key&033;

On a PC, go to Start > type encryption > select Change device encryption settings > Manage BitLocker > Turn on BitLocker.

Turn on remote lock-and-erase for your devices.

For Mac and iOS, set up Find My Mac and Find My iPhone. From iCloud.com/find, you can completely wipe data from your Apple device remotely, as soon as it connects to the Internet.

For Android, find my phone is automatically enabled once you’ve connected the device to your Google account. Go to android.com/devicemanager to locate or erase data on the phone by performing a factory reset.

For Windows 10 computers, go to https://account.microsoft.com/devices to locate, ring, lock, and erase.

Update your software as soon as a new version is available, no matter how annoying those pop-ups are.

It is always worth your time to do so. If you don’t, it’ll make you more vulnerable to hackers who monitor which security holes were patched in the new update, in order to target those in older versions of the software.

Add two-factor authentication to every account you can.

Not just for email and social media accounts, but for online banking, gaming, and retail, too. It requires that you submit a verification code sent to your phone, in addition to a traditional password, to log in.

Do it for Gmail immediately&033; Then, make sure your recovery email or phone are equally secure. Here’s a comprehensive list of websites that support two-factor authentication.

Nicole Nguyen / BuzzFeed News

After enabling two-factor, add an additional layer of security to your mobile carrier account by requiring a PIN when you call customer service. If someone has your name and the last four digits of your Social Security number, they can change the SIM number associated with your phone, rerouting two-factor verification codes to another device. An extra PIN helps prevent this. Here’s how to add one if you’re a Verizon, T-Mobile, Sprint, or AT&T customer.

OK, this is going to be a long section, because there are a lot of encrypted messaging apps out there. The TL;DR is that if you’re using one of the five apps mentioned here, you’re already communicating pretty securely.

Signal (free for iOS and Android), Wickr (free for iOS and Android), WhatsApp (free for iOS, Android and Windows Phone), Google Allo’s incognito mode (free for iOS and Android), and iMessage between iPhones (free for iOS) are five messaging apps that provide end-to-end encryption. If a government issues a request to any of these platforms, they won’t be able to hand over the content of messages.

However, each service handles their users’ metadata (in other words, who you messaged and when) a bit differently. It’s important to keep in mind that none of these apps can guarantee you total, uncrackable security — each one has its pros and cons.

Signal

The pros: Signal is very popular. NSA whistleblower Edward Snowden endorsed the app, and after Trump was elected, downloads increased by 400%.

By default, Signal doesn’t store your messages or metadata. The app provides a “safety number” for each conversation used to verify a person’s authenticity. Users can also elect to make messages disappear during intervals, whether it’s of five seconds or a week. Most important of all, Signal’s code is open to review and anyone can audit the software or contribute improvements.

The cons: When you sign up, Signal requires access to your address book, and as my colleague Hamza Shaban pointed out, that risks ratting out whistleblowers — if someone knows your number, they can tell whether or not you’re on Signal. If you were spilling stories about your company’s wrongdoings to a journalist, you might not want your boss to know that you’re using Signal. Moxie Marlinspike, the founder of Open Whisper Systems, the nonprofit behind Signal, suggests using a throwaway Google Voice or VoIP number as a workaround to sign up for Signal.

Wickr

The pros: Wickr offers all of Signal’s encrypted features. One advantage the app has over Signal is that Wickr does not need your phone number to sign up. Users have the option to create a unique handle, which protects those who don’t want their identities linked to the service.

The cons: Its code isn’t available for independent review, and Wickr’s user base isn’t as large as Signal’s, so it’s likely that you’ll need to convince contacts to sign up before you can start messaging with them.

WhatsApp

The pros: WhatsApp uses Signal’s protocol for encryption. It has the advantage of having over one billion users already on its platform, and it’s a feature-rich app with group messaging, voice calls and video chat built-in.

The cons: While the app, which is owned by Facebook, can’t read individual messages, it can record metadata like date, time stamp, and phone numbers associated with that message, according to a recently revised privacy policy. The app also announced last year that it was going to start sharing user information with Facebook, though it does let you opt out before agreeing to the updated terms of service. If you don’t opt out at that time, you have an additional 30 days to make your choice.

WhatsApp doesn’t include the option for disappearing messages. It also turns off security notifications when a contact’s key has changed (which occurs when they’ve re-installed WhatsApp on a new phone) by default, making you more susceptible to “man-in-the-middle” attacks by hackers.

Furthermore, the app allows you to backup your messages to iCloud or Google, which, while convenient if you lose your phone to switch to a new one, is not protected by WhatsApp’s end-to-end encryption.

Nicole Nguyen / BuzzFeed News

Allo

The pros: Google’s new messaging app includes the company’s artificial intelligence Google Assistant, which can help with tasks like making restaurant reservations or looking up movie times. It offers encrypted messaging with limited features (Google Assistant won’t work with it turned on) and you can set their messages to disappear after a certain period of time.

The cons: End-to-end encryption is disabled by default and you need to turn on incognito mode yourself.

Nicole Nguyen / BuzzFeed News

iMessage

The pros: Apple does provide end-to-end encryption for iMessage content (read more about its encryption technique on page 41 of this guide), and the company itself can’t decrypt the data – but only when both users sending messages have iPhones.

The cons: When you enter a phone number into iMessage, that number is sent to to Apple servers to determine whether or not that contact’s bubble should be green or blue (or, rather, whether to send the text through iMessage or SMS). Apple retains that data for up to 30 days and can be forced to hand it over to law enforcement with a subpoena or court order.

Many of the same apps that offer secure messaging also offer encrypted phone calls, including Signal and WhatsApp.

If you don’t use Signal or Whatsapp, any app that uses Ostel, an open source, end-to-end encrypted phone call tool, allows you to talk freely and securely. The easiest and cheapest way (it’s free&033;) to place a call through Ostel is through the Jitsi app for Mac, Windows, and Linux. An iOS app called Acrobits Softphone will cost you a one-time $7 fee to download the app, but this version only allows you to receive encrypted calls. Placing encrypted calls costs an additional $25.

While Gmail emails are encrypted in transit, Google’s popular email service is not secure enough for sensitive information. Google reads the contents of your email to determine which email appears in the Priority Inbox and, ultimately, to show you more personalized ads. If you’re getting a lot of emails about winter boots, you’ll see more winter boot banner ads.

For simple encryption, you can use Chrome extension CryptUp for Gmail, which is easy to set up for n00bs but has an advanced settings options for nerds. It allows users to add a “challenge question” that only your recipient can answer to decrypt the message. If the recipient has CryptUp installed, you can send small, encrypted attachments as well.

To take your email security a step further, you’ll need to familiarize yourself with “PGP” or “Pretty Good Privacy” encryption. First, install the Mailvelope extension for Chrome or Firefox, which works for Gmail, Outlook.com, Yahoo&033; Mail, and GMX. Click on the extension icon and then click Options. Follow the instructions to Generate Key. Now, you have a public and private key.

Nicole Nguyen / BuzzFeed News

Quelle: <a href="Here’s How To Protect Your Privacy In Trump’s America“>BuzzFeed

da Agency

US Army taps IBM for $62 million private cloud data center

US Army private cloud data center
For the United States Army, security is a top concern. It&#8217;s a big reason why it chose IBM to build out and manage a private cloud data center at its Redstone Arsenal near Huntsville, Alabama.
The contract for the data center would be worth $62 million over five years, if the Army exercises all its options. Along with the data center, the agreement also gives IBM the go-ahead to provide infrastructure-as-a-service (IaaS) solutions to migrate applications to the cloud. The goal is to move 35 apps within the first year.
The agreement requires Defense Information Systems Agency (DISA) Impact Level 5 (IL-5) authorization, which IBM announced it had received in February 2016. The authorization gives IBM the ability to manage &#8220;manage controlled, unclassified information.&#8221; As of this week, IBM is the only company to be authorized by DISA at IL-5 to run infrastructure-as-a-service solutions on government property. The Army expects to move IBM to IL-6 authorization, which would permit the company to work with classified information up to &8220;secret,&8221; within a year.
Lt. Gen. Robert Ferrell, US Army CIO, said, “#Cloud computing is a game-changing architecture that provides improved performance with high efficiency, all in a secure environment.”
Last year, the Army partnered with IBM on a hybrid cloud solution for its Logistics Support Activity.
For more about this new private cloud data center, read the full article at TechRepublic.
The post US Army taps IBM for $62 million private cloud data center appeared first on Cloud computing news.
Quelle: Thoughts on Cloud

da Agency

A dash of Salt(Stack): Using Salt for better OpenStack, Kubernetes, and Cloud — Q&A

The post A dash of Salt(Stack): Using Salt for better OpenStack, Kubernetes, and Cloud &#8212; Q&#038;A appeared first on Mirantis | The Pure Play OpenStack Company.
On January 16, Ales Komarek presented an introduction to Salt. We covered the following topics:

The model-driven architectures behind how Salt stores topologies and workflows

How Salt provides solution adaptability for any custom workloads

Infrastructure as Code: How Salt provides not only configuration management, but entire life-cycle management

How Continuous Delivery/ Integration/ Management fits into the puzzle

How Salt manages and scales parallel cloud deployments that include OpenStack, Kubernetes and others

What we didn&#8217;t do, however, is get to all of the questions from the audience, so here&8217;s a written version of the Q&A, including those we didn&8217;t have time for.
Q: Why Salt?
A: It&8217;s python, it has a huge and growing base of imperative modules and declarative states, and it has a good message bus.
Q: What tools are used to initially provision Salt across an infrastructure? Cobbler, Puppet, MAAS?
A: To create a new deployment, we rely on a single node, where we bootstrap the Salt master and Metal-as-a-Service (formerly based on Foreman, now Ironic). Then we control the MaaS service to deploy the physical bare-metal nodes.
Q: How broad a range of services do you already have recipes for, and how easy is it to write and drop in new ones if you need one that isn&8217;t already available?
A: The ecosystem is pretty vast. You can look at either https://github.com/tcpcloud or the formula ecosystem overview at http://openstack-salt.tcpcloud.eu/develop/extending-ecosystem.html. There are also guidelines for creating new formulas, which is very straight-forward process. A new service can be created in matter of hours, or even minutes.
Q: Can you convert your existing Puppet/Ansible scripts to Salt, and what would I search to find information about that?
A: Yes, we have reverse engineered autmation for some of these services in the past. For example we were deeply inspired by the Ansible module for Gerrit resource management.  You can find some information on creating Salt Formulas at https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html,  and we will be adding tutorial material here on this blog in the near future.
Q: Is there a NodeJS binding available?
A: If you meant the NodeJS formula to setup a NodeJS enironment, yes, there is such a formula. If you mean bindings to the system, you can use the Salt API to integrate NodeJS with Salt.
Q: Have you ever faced performance issues when storing a lot of data in pillars?
A: We have not faced performance issues with pillars that are deliverd by reclass ENC. It has been tested up to a few thousands of nodes.
Q: What front end GUI is typically used with Salt monitoring (e.g., Kibana, Grafana,&#8230;)?
A: Salt monitoring uses Sensu or StackLight for the actual functional monitoring checks. It uses Kibana to display events stored in Elasticsearch and Grafana to visualize metrics coming from time-series databases such as Graphite or Influx.
Q: What is the name of the salt PKI manager? (Or what would I search for to learn more about using salt for infrastructure-wide PKI management?)
A: The PKI feature is well documented in the Salt docs, and is available at https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html.
Q: Can I practice installing and deploying SaltStack on my laptop? Can you recommend a link?
A: I&8217;d recommend you have a look at http://openstack-salt.tcpcloud.eu/develop/quickstart-vagrant.html where you can find a nice tutorial on how to setup a simple infrastructure.
Q: Thanks for the presentation! Within Heat, I&8217;ve only ever seen salt used in terms of software deployments. What we&8217;ve seen today, however, goes clear through to service, resource, and even infrastructure deployment! In this way, does Salt become a viable alternative to Heat? (I&8217;m trying to understand where the demarcation is between the two now.)
A: Think of Heat as part of the solution responsible for spinning up the harware resources such as networks, routers and servers, in a way that is similar to MaaS, Ironic or Foreman. Salt&8217;s part begins where Heat&8217;s part ends &#8211; after the resources are started, Salt takes over and finishes the installation/configuration process.
Q: When you mention Orchestration, how does salt differentiate from Heat, or is Salt making Heat calls?
A: Heat is more for hardware resources orchestration. It has some capability to do software configuration, but rather limited. We have created heat resources that help to classify resources on fly. We also have salt heat modules capable of running a heat stack.
Q: Will you be showing any parts of SaltStack Enterprise, or only FREE Salt Open Source? Do you use Salt in Multi-Master deployment?
A: We are using the opensource version of SaltStack, the enterprise gets little gain given the pricing model. In some deployments, we use the salt master HA deployment setups.
Q: What HA engine is typically used for the Salt master?
A: We use 2 separate masters with shared storage provided by GlusterFS on which the master&8217;s and minions&8217; keys are stored.
Q: Is there a GUI ?
A: The creation of a GUI is currently under discussion.
Q: How do you enforce Role Based Administration in the Salt Master? Can you segregate users to specific job roles and limit which jobs they can execute in Salt?
A: We use the ACLs of the Salt master to limit the user&8217;s options. This also applies for the Jenkins-powered pipelines, which we also manage by Salt, both on the job and the user side.
Q: Can you show the salt files (.sls, pillar, &8230;)?
A: You can look at the github for existing formulas at https://github.com/tcpcloud and good example of pillars can be found at https://github.com/Mirantis/mk-lab-salt-model/.
Q: Is there a link for deploying Salt for Kubernetes? Any best practices guide?
A: The best place to look is the https://github.com/openstack/salt-formula-kubernetes README.
Q: Is SaltStack the same as what&8217;s on saltstack.com, or is it a different project?
A: These are the same project. Saltstack.com is company that is behind the Salt technology and provides support and enterprise versions.
Q: So far this looks like what Chef can do. Can you make a comparison or focus on the &#8220;value add&#8221; from Salt that Chef or Puppet don&8217;t give you?
A: The replaceability/reusability of the individual components is very easy, as all formulas are &#8216;aware&8217; of the rest and share a common form and single dependency tree. This is a problem with community-based formulas in either of the other tools, as they are not very compatible with each other.
Q: In terms of purpose, is there any difference between SaltStack vs Openstack?
A: Apart from the fact that SaltStack can install OpenStack, it can also provide virtualization capabilities. However, Salt has very limited options, while OpenStack supports complex production level scenarios.
Q: Great webinar guys. Ansible seems to have a lot of traction as means of deploying OpenStack. Could you compare/contrast with SaltStack in this context?
A: With Salt, the OpenStack services are just part of wider ecosystem; the main advantage comes from the consistency across all services/formulas, the provision of support metadata to provide documentation or monitoring features.
Q: How is Salt better than Ansible/Puppet/Chef ?
A: The biggest difference is the message bus, which lets you control, and get data from, the infrastructure with great speed and concurrency.
Q: Can you elaborate mirantis fuel vs saltstack?
Fuel is an open source project that was (and is) designed to deploy OpenStack from a single ISO-based artifact, and to provide various lifecycle management functions once the cluster has been deployed. SaltStack is designed to be more granular, working with individual components or services.
Q: Are there plans to integrate SaltStack in to MOS?
A: The Mirantis Cloud Platform (MCP) will be powered by Salt/Reclass.
Q: Is Fuel obsolete or it will use Salt in the background instead of Puppet?
A: Fuel in its current form will continue to be used for deploying Mirantis OpenStack in the traditional manner (as a single ISO file). We are extending our portfolio of life cycle management tools to include appropriate technologies for deploying and managing open source software in MCP. For example, Fuel CCP will be used to deploy containerized OpenStack on Kubernetes. Similarly, Decapod will be used to deploy Ceph. All of these lifecycle management technologies are, in a sense, Fuel. Whether a particular tool uses Salt or Puppet will depend on what it&8217;s doing.
Q: MOS 10 release date?
A: We&8217;re still making plans on this.
Thanks for joining us, or if you missed it, please go ahead and view the webinar.
The post A dash of Salt(Stack): Using Salt for better OpenStack, Kubernetes, and Cloud &8212; Q&038;A appeared first on Mirantis | The Pure Play OpenStack Company.
Quelle: Mirantis