Don’t let your house get too smart

The Thinker by Rodin

At the Home Depot today I was looking at light bulbs. LED lights are now as cheap as compact fluorescent lights were some years ago, which is great because they use minimal energy and last for decades. Most of them come with features. I bought a LED bulb for a lamp I was buying that changes color. Each time you turn it on the color changes subtly. There were many variations of dimmable LED lights; many variations on color changing LED lights and one bulb that for about $15 had a Wifi connection. It was that last one that gave me pause: an intelligent light bulb? Apparently yes and you can use it with various home security systems to program the times you want it on and off, and even control it with a smartphone app.

As a gadget guy and a retiree with plenty of time on his hands, I like the idea of turning my home into a smart house. I even like the idea of appliances like Amazon’s Alexa where you can say something like, “Alexa, what’s the temperature now?” and it will tell you. I tried this device when I was in Michigan last month visiting my aunt. She has Alexa but all she does with it is tell it to play music and to stop playing music. So 99% of the time it streams innocuous piano much. However, when I asked it, it told me the temperature outside easily enough.

I like the idea of being half a world away and having remote cameras show me that my cats are doing okay and something telling me that the furnace has died. Our furnace igniter did actually die while we were in Europe. Thankfully we had a house sitter who took charge of the situation, which of course happened inconveniently during a blizzard. She got it fixed. However, a smart house system could have let me know there was a problem and ping me with a text message or email.

I don’t seem to be in a hurry to get an Alexa or to make my home smarter. Frankly, the Alexa device scares me. Alexa and Google Home are apparently very good at listening surreptitiously. I suspect if my wife and I were arguing it would pick that up. Perhaps I would get targeted ads from for divorce lawyers afterward. For me, Alexa and similar appliances cross a line I don’t want crossed: letting a company or potentially anyone know more about me than I want to give out, which is already plenty. That’s why we bought a VPN. Given that I am rarely more than a dozen feet from a computing device, there is little impetus to make my life that much more convenient.

I am more concerned about hackers than I am worrying what Amazon or Google is learning about me when I install one of these smart devices. A thief could potentially remotely turn off a smart front porch light bulb. I notice that many doors now come with locks that can be unlocked remotely. This also concerns me. If I lose my key I might not be able to get into my house without a locksmith. But a house that can be unlocked electronically potentially allows anyone with the right skills and intent to let themselves in.

And that’s precisely what we are doing in principle by creating smart houses. We’re entrusting a wireless technology to be absolutely secure when it isn’t and likely won’t ever be secure. There are too many backdoors including the most vulnerable ones: our own smart devices, which keep the electronic keys to these devices. So to the extent I want my house to be smart, I mostly want it to inform me about events only.

So yes, please tell me if the furnace or AC isn’t working. Tell me if a window is not secured when it should be. It can phone the cops if it suspects a burglary has happened when I am not at home. I don’t want a device that silently listens to my yammer and keeps notes. I only want to be able to remotely control devices that add security, not take it away. I don’t want to be able to unlock my doors remotely, but I might want the ability to lock them remotely.

Internet security is something of an oxymoron. You can’t trust it completely. However you can trust hardware devices that can only be controlled manually. If all my smart appliances were wired to a central switchboard, I would trust that. For the same reason, I trust my circuit breaker box. I can fully understand it and since it’s a mechanical device it cannot be controlled remotely. Since data can be transferred over power lines, smart devices could use them for communications instead of Wifi networks. All would report over the power line to the smart device, perhaps in the basement that controlled the smart house. The device would have physical switches that you could turn on and off if you wanted to allow remote access to various smart devices. It would also need some hardware to ensure that data could not accidentally be sent to the power company.

We may get such a solution at some point. Right now though no one seems to be thinking this through adequately, which is why I will very selectively make my house smart, if I allow it at all.

It’s not paranoia if they really are out to spy on you

The Thinker by Rodin

President Obama says that no one is reading your email. Maybe not in my case because most of my email is not particularly interesting, but I sure as heck don’t like that the government is collecting huge amounts of metadata about me. Metadata (data about data) is really equally as interesting, if not more so, than actual emails and Facebook posts that you make.

Supposedly a secret court oversees all this. But it’s not a good omen when this court rejects only a handful of requests a year, and approves thousands of others. It’s not comforting to know that Big Brother is indeed watching me to keep me safer and that President Obama is as complicit in this mess as everyone else. Most of Congress has little idea what is going on, and those that do are sworn to secrecy. Being vested members of the system, they will have a natural tendency to think that government’s security needs will trump your right to privacy in your daily affairs.

I could possibly be okay with non-US citizens being monitored by the government but not me, no way, not without my explicit consent. I am a citizen, and I have freedoms and an inherent right to privacy. It’s in the Bill of Rights: freedom from unreasonable searches and seizures, a.k.a the Fourth Amendment. Any Supreme Court worth its salt would reject Project Prism, identified in leaks by Edward Snowden, as wholly unconstitutional. But it is clear that the NSA is sniffing pretty much every packet of data it can get its hands on, not to mention telephone records, and putting all the metadata into huge hosting centers, and maybe your data as well. It’s not even clear that even with a legal prohibition they would actually stop.

Like many Americans I will be working to enact laws to get the government out of the proactive data collection business of U.S. citizens altogether. I have to admit that the probability of my success is rather low, but it would help dear reader if like me you holler like hell at your elected officials. They need to understand that this is not acceptable at all. And if you are cool with the government reading your email and tracking your online behavior then by all means give them permission to do so. I never did.

There have been a number of depressing articles recently about just how easily the government can collect information about us. Of course, it is not just the government. We are already deeply in bed with services like Google that make fabulous search engines and great email in the cloud products, while developing uncannily eerie portfolios of our behavior more valuable than years of babbling to a clinical psychologist.

If like me you are fed up, you might try a few ways of fighting back. Here are some I know about from reading, my experience and that very useful course I took on networking in graduate school.

First off: email. I am guilty of using Gmail. It sure is convenient to have a decade or so of email in the cloud, accessible anywhere I go. However, if you really want private email, you are going to have to pay for it. More importantly, you need an email host not located in the United States. This way when they get a subpoena from a U.S. court they can just laugh. You pay them so they don’t start serving you advertisements and developing their own psychological profile of you. There is no completely risk free solution, but you need to avoid all the cloud email services and that includes GMail, Yahoo Mail, MSN, Hotmail and the like. Here’s one to try: hushmail.com. They are located in Canada and all email is sent via Secure Socket Layer (https). You can use their free web email but if you prefer secure POP or IMAP access, you got to pay them. Their premium package is $34.99 a year. It’s money well invested. Of course they do have some limitations. You can’t use it for sending out spam or for any illegal purpose, at least for any illegal purpose applicable in British Columbia. And for their free web mail, if you don’t log in at least every three weeks, they’ll remove your account. If you do have a hushmail.com or similar type of account, don’t advertise it on your web site or business cards. You don’t want the NSA to associate you with it.

Like to instant message? Don’t particularly like having the NSA able to listen in? What you need to do is nag your chat partners to use encryption. Of course many providers already provide that, but if they can decode it on their servers when sending it between parties then you are vulnerable. You need a chat client with OTR (“off the record”) functionality. Basically you and your recipient exchange cryptographic keys each of you generate and trade them using the protocol. It takes a little bit of effort and you may have to convince your friend to use Adium (Mac) or Pidgin (PC and other operating systems), and then show them how to use OTR. It’s a relatively painless one-time thing between two parties. Your instant messaging provider won’t be able to decrypt it, and neither will the NSA.

Who doesn’t like surfing the web? You may not like it as much if you can’t use your favorite browser, but if you can deal with Firefox you can install TOR, a browser endorsed by Edward Snowden himself. TOR is a customized version of Firefox with privacy enhancements, so it is built on top of an open-source browser. Essentially it proxies traffic between frequently changing servers, making it hard if not impossible for your browsing to be associated with your address on the Internet. I tested it yesterday. I admit it is a bit slower working through a proxy and some of the security features are annoying (it doesn’t want to retain links or easily import bookmarks). But used religiously and you will seem a G-rated person to the NSA even if you live an R-rated life.

Like your cellular phone service but want it secure? Look into Silent Circle. You can also use it for secure messaging, video chats and email. Also look at Redphone software. Curiously, Redphone was developed with your tax money.

What else can you do? If you don’t like turning over private aspects of yourself you could be very brave and delete your Google, Yahoo and other cloud-based accounts. Remember, the government could request these services to give you all their metadata. I’ll grant you that deleting these accounts is hard because they are so convenient. So save those services for the truly vanilla stuff you wouldn’t mind putting on a postcard.

On my list of things to do is getting rid of accounts on sites that provide specialized services. I mentioned mint.com earlier this year. It’s a neat site but it knows too much about me, including all my account numbers and passwords. It’s going to get deleted soon. I’ll keep my financial stuff in Quicken on my home computer. I’ll backup my files to a spare external hard disk, which is easy enough using my Mac and TimeMachine.

Six years ago I mentioned TrueCrypt. It’s a great way to encrypt your whole hard drive, so even the NSA can’t read it. With many operating systems you can do this with a simple command or two. Look into it.

Mobile devices have all sorts of security issues. At a minimum you can try to use secure socket layer when communicating. Many of the solutions I mention above have mobile equivalents. Use them if you can or keep your mobile life boring and G-rated.

Thanks to Edward Snowden, our worst fears have been confirmed. There is no reason to let the government know more about you than your spouse, but that potential is there. You are being sniffed, cataloged, indexed and, perhaps without a court order, having your digital content analyzed for subversive behavior or anything the government wants to learn about you. Join me in yelling like hell but don’t be a patsy either. Do what you can to keep the government out of your digital life.

Needed: Home Internet Security Appliance

The Thinker by Rodin

Windows guru Brian Livingston’s latest newsletter on the sorry state of PC security in the Internet age is a wakeup call. The vast majority us connected to the Internet at home may think we have safeguarded our PCs. But while we may have the front door of our computer locked it is likely our back door is still open. In addition ghouls and other ghastly things are trying to come through the windows. And when we do open the door it is likely that thieves are slipping right past us unseen.

Here’s what we are doing at our house. First we have a cable modem that is always on. All the PCs in the house have the free version of ZoneAlarm installed. It traps (we believe) unauthorized incoming and outgoing Internet traffic embedded in TCP/IP packets. We have a laptop with a wireless card in it connected to our wireless router. All wireless conversation is encrypted and traffic is limited to a few IP addresses. All PCs are running McAfee AntiVirus, which is configured to check daily for updated virus patterns. My wife is smart enough to also know about spy-ware, so she regularly checks our PCs with the free version of Ad-Aware. All of us except my daughter avoid Internet Explorer, preferring Mozilla Firefox for our web browsing. My wife, who works on a help desk, regularly installs the latest patches to our operating systems and key programs. In addition my wife and I have enabled the spam filter on the Cox mail server. But because it is not perfect I also run ChoiceMail whitelist software to further reduce spam. My antivirus program does an automatic weekly virus check of all the files on my hard disk. By most measures we are on the cutting edge of home PC security.

But we are not doing enough. Brian Livingston says we need a hardware firewall in addition to software firewalls on all our PCs. And we need to buy antispam software that we don’t have. Meanwhile we continue to let my daughter violate security rules because, well, we must be spineless morons for parents. You see she must use Internet Explorer because all her friends are using MSN Messenger and it is tied intricately to IE. My wife doesn’t have the heart to take away her administrator privileges so she keeps downloading crap over and over again although we keep telling her not to. A frequently find on her machine is that obnoxious spyware Gator, among others.

All this security is a hassle for us. Yet I doubt most other families are doing half what we are doing. My father, for example, is running Windows Me over a dialup connection to MSN. His antivirus software expired and he couldn’t figure out how to renew it. When my wife ran Ad-Aware on his PC she found it was clogged with crap he never knew he had. We still can’t say if he is virus free because we are having a problem getting McAfee to work on Windows Me.

Enough. It’s time industry came up with a solution. We need a home Internet security appliance, perhaps integrated into our cable and DSL modem. This should be a smart machine that will take care of a whole family’s security needs. To get rid of spam it should have Brightmail antispam server software embedded in the appliance. Brightmail is the only solution out there that really works as a blacklist. With Brightmail integration it should catch virtually all the spam. But this appliance should also catch viruses, Trojan horses, mallware, prevent phishing attacks and kill all ad-ware automatically and transparently.

But it should do more than that. It should constantly keep our PCs tuned with the latest well tested software patches. It’s clear that Microsoft cannot be trusted, so appliance vendors will have to act as a testing clearinghouse for us. This appliance should talk with software installed on our machines to take care of the numerous chores we now have to do manually. For example it could keep us updated on the latest versions of our installed software, optimizing our hard disks and let us know if components appear to be failing. Ideally these appliances would be certified by an impartial government agency, or meet the current FIPS standards.

I hope there are companies working on such appliances. All the antivirus vendors should be doing this as a survival strategy. It would be an easy sell and it would be easy revenue stream for them by marketing a yearly subscription service. I know I would be in the market for such a unit. Why have a PC attached to the Internet if it becomes more hassle than fun?