About personal data security

[this is a repost of my answer to someone who wondered about security of personal data on Ulteo forums]

Let me explain my way of thinking about this issue.

At first, let’s assume that data integrity and confidentiality are the two needed requirements:

  • we want to be able to retrieve data, as long as we need it, whatever happens on the earth (bombs, earthquakes…)
  • we want to ensure that no one but authorized people can read the data, use it or modify it


Now there are different cases. Let’s take these two cases to simplify:

  1. your personal data : most of time they are stored on your computer. As a result, they are totally unsafe for several reasons: someone can break into your computer and steal your data, or you can be stolen your harddrive (laptop), or your house can go into fire etc. A slightly different case is your online data. For instance, Gmail, Yahoo! mail etc. They won’t guarantee anything but “doing the best” to secure the data. It means that it’s likely that they have advanced security systems (but who knows), that they have redundant servers around the planet etc. So, it’s more likely that your data get more secured if they are stored online in this case. Anyway, they are not really confidential: Gmail reads your emails to generate ads for instance. Additionally, it happens that they close accounts, for any reason. I know people who got their Yahoo! mail account closed because the Terms of Services weren’t respected (without any further detail). Later, they were unable to get in touch with someone at Yahoo! to get it back and lost all emails. Maybe in some cases that’s a bug. Worse: laws permit that your data can get accessed by government agencies anytime for any “good reason” (as far as I know that’s the case for Google in the USA and Blackberry in the UK). So there is still a risk to have your data vanish in the air, even if they are stored online on a big service.
  2. data within a corporation (ie “sensitive data”). Here, everything depends on the corporate’s policy about data security. Most of the time, I think there is a good level of integrity for the data, assumed that there are mechanisms to get the data replicated to other geographical places for instance. Confidentiality is certainly worse because security cannot be perfect, and also because many people within corporates use Gmail, Blackberry and other services intensively, apparently even for sensitive transactions/discussions. This is a real (known) issue for strategic corporations that need a high level of confidentiality.

Now, what I think, is that the key answer to data integrity and confidentiality is:

  • redundancy to address the integrity problem
  • heavy encryption to address confidentiality


For instance, with tools such as GPG and Thunderbird Enigmail (which are provided and installed by default on Ulteo), you can encrypt your sensitive emails very easily. The only constraint is that you first need to import your receiver public key first, but that needs to be done only once. Then, all you need to do is to select “encrypt message” when writing your email. With a 2048 or 4096 bits encryption key, this even removes the need to have any security or encryption “on the line” (TLS, SSL…).

In this case you can even add a personal gmail account in CC: as a safe backup! You won’t be able to read the email content within Gmail, but if you happen to need it, you can retrieve the email and decrypt it locally. And Gmail won’t be able to read the content of these archives in any way.

In the same spirit, Ulteo also integrates the Kopete “Silc” plugin that provides a totally secured IRC chat.

Now, there is the question of data that are stored at Ulteo. Right now, I can’t tell you more that “we’re doing our best to secure your data”. This means security measures on servers, and replication. But I agree that it’s not an ultimate solution.

We plan to provide an encryption feature that would permit us (and you) to store *only* encrypted data, that could be used/decrypted only by the owner of the data, using his credentials.

In this case, you would have a local secured directory where you could put all your sensitive data, and this would be the same on Ulteo online services. So in the bad case where you would be stolen your harddrive, or in the case Ulteo servers would be cracked, nobody but you couldn’t read your secured data.

Gaël.

Ulteo Application System beta1 has been released…

The image “http://www.ulteo.com/main/images/as/ulteo-scheme.jpg” cannot be displayed, because it contains errors.Automatic synchronization of documents with the Ulteo Online Desktop, automatic upgrading, new “My Digital life” panel, installation in about 3 minutes, hundreds applications available… That’s what you’ll find in this just-released installable version of Ulteo Application System. We have made it with a clear goal in mind: make the PC user’s life still easier. I hope you’ll apreciate it… (download, release notes…)

Two coffees with Ladislav

ladislavbodnar.jpgToday, I’ve spent some time meeting with Ladislav Bodnar. Ladislav is the (nice) guy behind distrowatch.com!, a reference Linux website, one of the biggest and certainly one of the nicest ones. Ladislav was coming from Tapei, Taiwan for two days in Paris. I didn’t dare tasting his nice present yet, a kind of litchy-candies under a plastic film, because everything is written in (traditionnal) Chinese and I’m so blind about Asian languages. But tomorrow I will do, for sure. Will keep you updated.

What a rush!!

The Ulteo main web server is experiencing a big, big, rush. It’s been under an heavy load for two days, and of course, page loading is sometimes slower than expected… We have performed urgency tasks, such as moving static stuff to other servers, but the rush is really too big. That’s the Slashdot effect, which is not turning into a too bad situation because our servers have a good connectivity and still answers… Of course we’re planning to switch to bigger servers, with some redundancy, but this will of course take a few days. So, be patient, register and come back later if you don’t succeed to launch a session or don’t want to wait… Apologizes for that situation, but we didn’t expect a so big and explosive rush…

Gaël.

P S and we are also reading all your warm emails! It seems that you like it, and we are going to make it still better, with some stuff that you do not even expect…

Today is the day. For a premiere

Last days have been extremely busy with the finalization of a partnership of Ulteo with  a major Open Source organization. Their software can soon be accessed through the Ulteo Online Desktop in one click, without any download or installation. Finally some publicly available stuff 😉 Stay tuned! And I can’t wait the release of the V2 of this stuff which has been under heavy development internally for several months.

An Exceptionally Simple Theory of Everything

Antony Garrett Lisi is a 39 years old physicist who is not attached to any laboratory, and whose main activity is surf. Anyway, he just caught some attention from the physics community since he posted a 31-page theory “An Exceptionally Simple Theory of Everything” aimed at unifiying all the physics theories. Comments from the physics community go from “joke” to “revolutionary”. Read the full paper (if you can!), or just a summary. Update: you can watch a video simulation of the theory.

iPhone SIM unlock, done

I thought I would wait for a couple of weeks more, but when I read this unlocking tutorial, I really couldn’t resist any longer! It took me about 30 minutes to unlock, but that was very easy because all the software is provided and the procedure is very clear. The unlocking tools that have been released are really awesome, in particular iBrick and the installer are very convenient and impressive. For those who are going to do it and had already unlocked it (just unlock, no SIM-unlocked), I’d recommend to:

  • uninstall iTunes
  • reinstall iTunes (from old version 7.3)

Then, remove the AT&T SIM, and start by restoring the iPhone from iTunes (follow the tutorial). Beware that during the restore process, you are going to lose all your pics, and other configuration stuff stored on your iPhone.

Just before you can really SIM-unlock it, you’ll have the thrill to ssh into your iPhone:

[gael@spoon]$ ssh root@iphone
root@iphone’s password:
Last login: Sat Sep 15 13:28:49 2007 from spoon

# ls
Library Media
# ls /
Applications Library System bin cores dev etc mach private sbin tmp usr var

Ain’t it cool? Then on your iPhone, you can easily install some great software, including a VT100 emulator which is very convenient to connect to your PCs through the net, and many others. First time I can put a real PC in my pocket 🙂 SIM-unlock went flawlessly (Tele2/Orange SIM) and I can use SMS without any issue. I had to sync my old Nokia’s contact book to Outlook Express, and then exported them to the iPhone through iTunes.

A few pics…

iphone1.jpg

This shows that the iPhone handles the GSM carrier, and all the available apps.

iphone2.jpg

This shows the software manager within the unlocked iPhone.

iphone3.jpg

You can easily use common cmd-line tools (ping, ssh, grep…) from a VT emulator.

Udate / Sept 17th, 2007: I also can use EDGE very easily, but be very careful with this option if you don’t have a special data-option! By default with Tele2 carrier, for maybe 15 minutes of cumulated use , I got 8.5MB transferred for a total cost of… 130 euros! That’s a shame, so I wouldn’t recommend use EDGE with a regular cell subscription service. Check with your carrier!