Just some Punq

Merlin Mann has shared an interesting idea for sharing sensitive information over e-mail without going through the hassles of learning to use e-mail encryption… and getting all your recipients to use the same scheme as you.

• Zip your files
• Put the zip file in your Dropbox ‘Public’ folder
• Email the file link, not the file

Originally from practicallyefficient

Merlin adds a bunch of extra “security” features that are mostly aimed at limiting the amount of time something is available (use a Hazel rule to clean up the files after a time) and making the URL to a file harder to just guess (e.g. by generating a password from 1Password and using it as the file name).

While those aren’t bad pieces of advice, per se, it’s pretty easy to write a script to pull everything out of someone’s public Dropbox folder on a schedule… so those pieces of advice don’t have all that much security value.

You can up the ante a bit by password-protecting the ZIP file; on a Mac (OS X) or Linux machine:

zip -ejr zipfilename.zip DirectoryOrFileToCompress

Of course, cracking zip passwords isn’t terribly hard, but it’s another step people have to go through, and at least the ZIP is still supported on every modern OS.

If you and your recipient are both on OS X, you can easily create an encrypted Disk Image file to share on Dropbox. If you’re not both on OS X, and you’ll be doing this a lot, you can create encrypted disk images using the wonderful and free TrueCrypt. It’s a bit to set up on OS X (especially if you already use MacFUSE for something), and creating the image each time can be a little annoying, so it’s not great for one-off stuff.

And, of course, you can use GnuPG to encrypt the files — it supports password-based (i.e. symmetric) encryption, so you needed mess about with keys. To do this easily:

• On OS X, use the GPGTools Installer, then also install GPGFileTool for drag-n-drop file encryption/decryption

• On Windows, use Gpg4win. Just right-click a file you want to encrypt, select GPGee->Encrypt (Symmetric) and follow the prompts.

Ultimately, it’s just not hard to actually use encryption with just a little setup. Just remember that all of these methods generate a password — don’t put your password in an e-mail with the link to the file: email the link and text the password.

Anything that doesn’t take years of your life and drive you to suicide hardly seems worth doing. — Cormac McCarthy, as quoted in Wall Street Journal (online edition), “Hollywood’s Favorite Cowboy“, Nov 13. 2009

There may be a message here for security professionals. ;)

This is a nice list from MS of functions in C and related languages; each of these has been deemed to be more hassle than it’s worth, from a security point of view.

List of banned functions (HT: Schneier)

I really hate it when people who aren’t security professionals try to speak professionally about security.  DaringFireball had this to say:

Security is about technical measures, like the strength of the locks on your doors and windows. Safety is about the likelihood that you’ll actually suffer from some sort of attack. — The Difference Between Security and Safety

That’s unbelievably wrong.  Security is about risk assessment and treatment; the technical measures put in place are called controls. Something is “more secure” when the residual risk (the risk that remains after implementing controls) to it is lower.

I know that the Mac community can be bone-headed about security claims, and it is worthwhile to point out that “small virus threat” doesn’t mean “secure”.  However, just because Windows has added a lot of security controls to their product doesn’t make it “secure” either.  The overall design of OS-X is inherently more secure than the overall design of Windows. This means that OS-X needs fewer compensating controls in place to acheive acceptable security.

That, in combination with its lower attractiveness (and that is a valid security consideration) makes OS-X a more secure choice than Windows.  That might change as OS-X targets become more attractive, and as Microsoft improves the design of Windows.

Security is, after all, a moving target.

security is an illusion. It’s a heuristic we draw from observing the coincidence of things not going badly for a while at a stretch. — Merlin Mann

Merlin’s observation is about the security of a steady income, but it applies equally to planning for personal data security. We feel secure when things haven’t gone poorly in a while, and we feel insecure when our wounds are fresh — when we’ve been recently defrauded, our computers infested with malware, or what have you.

It is for this reason that it is important to pull ourselves away from our assumptions about security, and make plans against security breaches while we feel secure; that is, while we remain more rational.