Stewardship of Security & Privacy

The use of security, privacy, and anonymity tools are most often compromised by users who don’t understand operational security (“opsec”), the methods and discipline of using the tools. You can give the best hardware and software in the world to someone without teaching them about the risks, and you may as well not given them anything at all. The fact is, security and privacy are caretaking activities — not scary things, but stewardship.

In our post-Snowden world with increased awareness among the general public — though one might argue there has not been enough awareness even still — it’s more important than ever to spread the basic philosophy and practices behind keeping oneself safe when using our increasingly connected devices, particularly our mobile phones. You are only as secure as others in your circle, so what we should be cultivating is a community of awareness. Like driving or swimming, security is something we need to practice, responsibly, within the shared community space of the Internet. However, we shouldn’t think of it as the sole purpose or focus when using our mobiles any more than avoiding an accident is the purpose of driving, or avoiding drowning is the purpose of swimming.

Our mobile devices are progressively becoming integral extensions of our personal, financial, educational, and work lives. Even the US Supreme Court said so in a recent ruling , stating that, “Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.” So we need to learn a little mobile safety just as much as water or driver safety.

Another important point is that while people might freak out about the [GCHQ/NSA/BND], but you should be more worried about some 13-year old kid from eastern Europe hacking your phone and making off with your account data, financial info, address book, and anything else that will enable them to wreak havoc on your life from afar. That’s your typical daily threat, and if your phone is hacked, everyone you know becomes a potential target too. So it’s hygiene; take care of your own leaks and help the people around you take care of theirs.

But don’t go preaching the small, techie details. Keep it simple and easy to grasp. It won’t be perfect to start with, because it will involve putting people well outside their comfort zone for something they may not even care that much about. It will be a start though, and sometimes that’s the best we can ask for — getting our friends and family to take control of their own privacy and security. That’s our job, painting the metaphors. Less boring, more fun and bravery. More taking care of yourself and others. Retrofitting internet communications for anonymity and privacy-by-design is a brave and vain task, after all. It wasn’t designed for it at the protocol level, but it’s demanded by the times.

Avatar Obfuscation in WordPress

By default, the generated avatars used in WordPress come from Gravatar and are based on the commenter’s e-mail address. While this means that users can have a customized avatars that follow them across the web, it does prove to be a privacy risk even for people that don’t sign up for the service. Fortunately, the function that fetches avatars in WordPress is easily overridden with a plugin, so I wrote a very simple one that lets you specify a salt to append to e-mail addresses before they are hashed and submitted to Gravatar.
avatar-settings-page
It comes with a simple settings page that lets you specify the salt value. One feature that would be nice to add is some way to whitelist registered users or let commenters specifically override the filter on their comment(s), but that’s beyond my time commitment right now (so pull requests welcome!).

Avatar-Obfuscation on GitHub