Google China to Stop Censorship

Google ChinaUntil now, Google has operated in China by not listing government-blacklisted sites in its search results (See google.cn search results for “Tiananmen”). This was controversial, but Google maintained that it was better to work within these restrictions than to have no presence in China.

After recent cyber attacks on Google, Google is changing its stance. This will be interesting.

Read the full Google Blog post:

A new approach to China

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this U.S. government report (PDF), Nart Villeneuve’s blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China’s economic reform programs and its citizens’ entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that “we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China.”

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

12 Tips for Protecting Your Computer from Snoopers

In the DC area especially, there are people who have reason to be concerned about computer espionage, either for work (national or corporate secrets) or personal reasons (divorce or blackmail). Here are 12 tips to guard against intruders snooping on your activities:

  1. Use decent passwords. The easiest way for someone to access your email and other information is if they know or can easily guess your passwords. It is estimated that 1 out of every 9 people use a password on the top 500 worst password list. Most passwords are “cracked” not through problems with the encryption itself, but with the password being poor. Don’t use dictionary words, the names of loved ones, the names of your pets, your birthday, etc.  Longer passwords are better so government institutions often require at least 10-14 characters. Passwords should be random and use letters, numbers, and special characters.
  2. Use different passwords for different things. If someone sees your computer login password over your shoulder, you don’t want them to then have access to your bank account because it has the same password.
  3. Change passwords regularly. Government and corporate security protocols typically require that passwords be changed at least every 3 months.
  4. KeePassUse a password manager. Seeing a theme here about the importance of passwords? If you have different random passwords and change them regularly, then you either have a memory like Rain Man or you keep track of the passwords somewhere. The most popular software tools to manage passwords are LastPass (Free or Premium for PC, Mac, and others), KeePass (Free for PC, Mac, and others) and 1Password ($39.95 for Mac). Password software allows you to keep all your passwords encrypted with one master password. It can autofill site information so that you only have to remember that one master password. It also has a Password Generator to create random strong passwords, a great idea. Without this, most people use passwords that are similar. To the extent that your passwords are similar, an investigator can more easily guess your other passwords. (Tip: use Dropbox to backup/sync KeePass or 1Password encrypted files. LastPass syncs automatically between computers).
  5. Do not use personal information that can be guessed as the answers to your online secret questions. This is how Sarah Palin’s Yahoo email was “hacked” in September 2008 simply by someone guessing the answers to her challenge questions such as where she went to high school.
  6. Tie your Yahoo or other login site to another email account or cell phone number. This will let you know of any attempted password resets and help if tip 5 doesn’t work.
  7. Encrypt files. As we explained in our post Encryption on USB Flash Drive, TrueCrypt can be used to encrypt your important data. Remember that although TrueCrypt can not be cracked, someone could guess your password if you chose it poorly.
  8. Remember that your router is a computer too. Your router manages all the data between your computer and the Internet. If your router software is compromised, you could be sent to a site claiming to be your bank but really being a completely different site due to website misdirection from a bogus DNS system used by your router. The router software should be checked, firmware reloaded, and the password on the router should be changed. Most people unknowingly leave the router login defaults. That is safe enough if your local network is not breached, your WiFi isn’t hacked, and your router is not remotely accessible.
  9. Use strong WPA2 WiFi encryption. WPA2 is not easily cracked like WEP. Tools such as BackTrack and KisMAC can crack WEP in minutes. (See photo of “war driver” below hacking into a WiFi network.)War Driver Hacking into WiFi
  10. Turn down your WiFi antenna strength. Hackers can crack into a WiFi access from over a block away with directional antennas and a good line-of-site to their target. If you don’t need the extra signal strength, turn it down since a weak signal is harder to crack. This isn’t an option on all routers. If you want to take extra control of your router for this and other options, see if you can load the alternative DD-WRT firmware.
  11. Check for keyloggers. Keyloggers will log everything you type. They can be in the form of software or physical devices that are attached to a USB port or between the keyboard and computer.Keylogger
  12. Wipe computer and start fresh. If someone has had physical access to your computer or if the computer is already compromised, all bets are off. Some experts and government institutions will simply decommission a compromised computer and trash it. But most people should be satisfied with wiping everything. The hard drive can be wiped and the operating system reinstalled. The BIOS (seen from the very initial startup) can be reflashed and checked. The computer can be opened and physically checked for modifications.

Let me know if you have other suggestions for keeping your computer information safe from surveillance.


Thunderbird Add-ons

ThunderbirdYou might have heard about add-ons for the popular web browser Firefox that give it more capabilities. Well, the folks at Mozilla also make a great email client called Thunderbird (PC, Mac, Linux) that has add-ons too.

I found this out when I needed to send someone hundreds of emails. The Add-on ImportExportTools (which oddly is not part of Thurderbird’s list of Add-ons) was able to take all the emails I wanted and move them into an HTML indexed folder for easy browsing. This powerful add-on also helps in a myriad of cases when migrating or merging email archives, and it performs some import/export feats that are impossible with other email clients such as Outlook and Mac Mail.

ImportExportTools Thunderbird Add-on

Manage Your Podcasts in iTunes

If you use iTunes and need more control of your podcasts, click on the Settings… tab at the bottom of the iTunes Podcasts page. This gives you the ability to choose download and retention settings. You can set a default and per-podcast setting.

Set a default podcast setting that applies to most of your podcasts, by first choosing:

Podcast Defaults

The individual control of podcasts was added a year ago in iTunes 8 but most people didn’t notice the addition. Now you can, for example, automatically keep only the latest of your news programs while keeping all of your story podcasts.

Some podcasts are released in batches. For example, NPR’s Dianne Rehm’s Friday News Roundup podcasts are released two at a time on Friday.  Therefore I set it to Download all instead of the most recent one. If I only downloaded the most recent, I would miss one of the shows.

Podcast Settings

You might also want to Download all if you only sync occasionally and want the most recent files, instead of the most recent podcast and an older podcast from when you last synced.

I find that if you change a podcast to keep only the Last X number of episodes, this does not go into effect immediately, but it eventually goes into effect after a podcast is refreshed.

Online Travel Sites

Reagan National Airport

Online travel booking is easier than ever. And for us lucky folk in Washington DC with three airports (Dulles, Reagan, and BWI) there are flights everywhere and lots of deals. Below are some useful travel sites.

Travel Reservations

Travelocity – early leader in online reservations with roots back to CompuServe and AOL. Now known for the gnome commercials.

Orbitz – developed by airlines in response to Expedia and Travelocity.

ITA – uses the search system that powers Orbitz, but allows far more complex trips.

Priceline – offers standard purchases or allows you to name your own price for flights, hotels, and car rentals. Pitchman is now William Shatner.

Expedia – started by Microsoft, bought by Ticketmaster, now independent.

Hotwire – owned by Expedia. Unique in that you purchase hotels based on location and star rating. You only find out the name of your hotel after the purchase.

Kayak – travel search aggregator. Kayak does not directly sell tickets, but links to all the sites that do and makes a small amount of money on click throughs.

Bing Travel– recently renamed from Forecast.com, now owned by Microsoft. This site has flight price trends and predictions to help you decide if you should buy or wait for a better fare. It’s not perfect has helped me on a couple of occasions with suggestions to wait for a better price.

Special Airlines

JetBlue and Southwest airlines are not part of the above travel reservation sites. You can only book with them directly.

Other Resources

The Savvy Traveler Blog – deals and news by Rudy Maxa who often discusses travel on WAMU’s Kojo Nnamdi Show on NPR in DC.

Flyertalk – forum for frequent flyers to discuss deals and reward programs. This is where serious deal seekers go to discuss optimizing their points and airline status.

Liftopia – discount ski lift tickets and ski hotel deals.

TripBuzz – find local activities.

Have other travel resource recommendations? Email me to let me know.

6/12/16 UPDATES: Updated ITA Link and added TripBuzz, thanks to Phoebe.