My involvement with the EFF and AVNation have also included comments about privacy: AVNation Privacy & EFF Mail Links.

Something I realized while thinking about this subject is that if one sends very few encrypted e-mails, the ones that are encrypted will stand out in the mail being sent. Now you might wonder what I am doing that requires encrypting. It is more practical than you might think, a simple example is to transmit financial information.

I have an additional reason now, confuse the government and anyone else monitoring traffic. This idea is discussed in Cory Doctorow’s book Little Brother section below is used under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. This quote below came from line 1826 in the HTML version available on Mr. Doctorow’s website.

“So how come you weren’t on Xnet last night?”
I was grateful for the distraction. I explained it all to him, the Bayesian stuff and my fear that we couldn’t go on using Xnet the way we had been without getting nabbed. He listened thoughtfully.
“I see what you’re saying. The problem is that if there’s too much crypto in someone’s Internet connection, they’ll stand out as unusual. But if you don’t encrypt, you’ll make it easy for the bad guys to wiretap you.”
“Yeah,” I said. “I’ve been trying to figure it out all day. Maybe we could slow the connection down, spread it out over more peoples’ accounts –“
“Won’t work,” he said. “To get it slow enough to vanish into the noise, you’d have to basically shut down the network, which isn’t an option.”
“You’re right,” I said. “But what else can we do?”
“What if we changed the definition of normal?”
And that was why Jolu got hired to work at Pigspleen when he was 12. Give him a problem with two bad solutions and he’d figure out a third totally different solution based on throwing away all your assumptions. I nodded vigorously. “Go on, tell me.”
“What if the average San Francisco Internet user had a lot more crypto in his average day on the Internet? If we could change the split so it’s more like fifty-fifty cleartext to ciphertext, then the users that supply the Xnet would just look like normal.”
“But how do we do that? People just don’t care enough about their privacy to surf the net through an encrypted link. They don’t see why it matters if eavesdroppers know what they’re googling for.”
“Yeah, but web-pages are small amounts of traffic. If we got people to routinely download a few giant encrypted files every day, that would create as much ciphertext as thousands of web-pages.”

My action is a relatively small action and is rather simple to do. However, the fact that it will change the traffic view could be helpful for others. It will prevent other PGP/GPG encrypted traffic from being such an outlier as to be noticed. As EFF posted on Data Privacy Day, privacy is a team sport. There are additional directions for how to do this task at, hover over the tutorials section. If you want to test if it worked, My public key identifier is C93A52C6. You can download my public key from directly from my site. I also will freely admit, I am not sure if it will make a difference, but it could not hurt.

During my “day job”, I work on many projects that are subject to Nondisclosure Agreements (NDA). These projects range from new product development to new projects that have not been announced to details of clients and project contents. There are various levels of diligence called out in each agreement. I am not giving any legal advice on enforcement and application of NDA’s I am sharing some of the principles and practices that are common and I have found helpful. If in doubt, check with your legal advisor or company counsel.

“The first rule of Nondisclosure Agreements is do not talk about Nondisclosure Agreements.”

Bradford Benn with a hat tip to Chuck Palahniuk

The level of “paranoia” for lack of a better word you want to follow is up to you. I follow the most stringent NDA policies for all of my NDA projects. The reason is that remembering the nuances of each one is difficult. Some people find it humorous my personal level of privacy and security awareness, however these practices apply and help me be aware of things not typically considered. Some of the things I worry about may not be practical for your scenarios but it is still good to think about for things beyond projects. Confidentiality of things such as payroll, checking account balances, insurance information… etc. are still a part of daily life.
The most effective practice I use is both simple and often overlooked. Chuck Palahniuk said it most succinctly, “The first rule of Fight Club is do not talk about Fight Club.” Seems rather simple, but it is often forgotten. The version that applies in this situation, “The first rule of Nondisclosure Agreements is do not talk about Nondisclosure Agreements.” I work within a large company [Harman] there are multiple teams and departments, about 28,000 employees total. Not everyone needs to know everything, engineering does not need to know that I am working with Bob’s Country Bunker on their expansion. If an engineer comes to me as they go to the Bunker every weekend and asks about the expansion, my answer is simple. “Sorry, I don’t know anything about it.” Yes, a lie or a fib. It also means that you are not as likely to be asked as many questions by friends looking for information. It also means not talking about the project in public, especially at industry conventions. However what I get out of this approach is I do not have to worry about someone else leaking the information.

People think it is odd that I have specific USB flashdrives or thumbdrives for different purposes and projects. Using a thumbdrive to share data can easily lots of data  being shared unexpectedly. I hand person A a thumbdrive with person B’s data on it (that is covered by a non-disclosure agreement). Person A would then know about the project and if unscrupulous could have person B’s data. People don’t always think about it, but by sharing a USB drive one is basically sharing part of their computer’s hard drive. There are of course the other reasons such as not wanting to get a virus. My solution is that I format the thumbdrive when appropriate. Typically it is after a customer visit or a system commissioning. I will also backup and then erase the contents of the drive often during the process. None of us have ever lost a thumbdrive with key information on it.

This same approach holds for network storage and sharing solutions. Most people will think about Dropbox, SpiderOak, Google Drive, Box … etc. but these are not the only sharing services to be aware of. A standard computer attached to a network has the same issues at times. A company typically has a network server for storing and sharing project data, very often in addition to that the sharing feature on a laptop will be enabled as well. The shared drive or directory on a computer is most likely the largest liability of these items. If you want to know why, use the network in a hotel, coffeehouse, or even in an airplane. Depending on the security settings of the network one might be able to see other computers on the same network. Very often to make the computer user’s experience simpler shared directories or folders will advertise itself. Now everyone connected to the network is aware that there is a share on the network.

These services are very powerful and convenient. However misconfiguration can be very bad. The sharing features typically get set and forgotten, so data is just sitting around all over the place. Did you remember to change who has access to what within Dropbox? Is your Shared directory still active for everyone to see and edit documents. Did you turn off the sharing for the person that left the company? Is your network storage at home available via the Internet, does it have a strong password and current firmware? Are you using Two Factor Authentication (2FA), if not – why not?

There is the specter of e-mail and how easy it is to not redact or remove information before forwarding it. This issue becomes more and more important as the projects are more and more complex. I often will read an e-mail and store it, some contracts require that. If I need to gather more information from another party I do not simply forward the e-mail, I rewrite it to be as generic as possible. Part of this process is to make sure I understand the question I am asking. Part of it is just preventing information from being shared. Yes, we might work for the same company but I am the one who was given the information, often the NDA indicates that I can only share information when necessary.

I can continue with such things as lock your computer when you are not using it. Don’t carry information you don’t need to on your laptop; especially when you travel. That seems easy to say I know, and it is more realistic than ever to do. I can connect to a server that is secure via VPN connection and retrieve the documents I need when I need them. (This approach can also be helpful and preventative if a laptop is lost or a hard drive fails.)

Encrypt important data. Yes, the encryption word. It is important. It is not new. In the late 1990’s I was working on a theme park project just as e-mail was becoming common. To transmit documents electronically we were required to send them encrypted using Pretty Good Privacy or PGP encryption. I am not going into all the details, the Electronic Frontier Foundation has written a good article providing an overview. This process meant that I would compress a file, then encode it via PGP, then attach it to a message and send it. This process still exists and is still very viable. I encrypt data on my hard drive and on the cloud using PGP encryption, sometimes called GPG on Mac and Linux. Beyond just the encryption the fact that the email has a much higher probability of not being spoofed is reason enough to use it for me. If you want to test it out, my key can be found at my blog post.

Now that everyone is concerned, how to make things better so that you are not the leak? The first item is the Fight Club rule. The second task is I encrypt my connections and data whenever possible (check with your company’s IT department as the last thing that anyone wants is to have data be inaccessible). Find secure solutions for hosting data on the cloud. There are many solutions, I am not going to endorse one or claim one is better than the other, the key item I look for is 2FA. This process means that the person trying to gain access to an account will not only need the password, but a second piece of information to gain entry. Typically this is a numerical value, it can either be generated on a device such as a handheld digital device or sent via e-mail or text. There is more information about 2FA available from EFF as well. I have enabled it on the AVNation website administration tools and everywhere else I can, including Google and Apple cloud solutions. I think that this would go without saying, but just in case; do not click the remember me or have the browser remember your password. That basically means if someone has your computer they have access to all the site.

I am sure by this point I sound paranoid, however I will say that adhering to Non-Disclosure Agreements is valuable for business. No one wants to know as the person who leaked information. It is easier to make sure no one leaks the information by not letting them know about the project. Keeping projects secret and being digitally accessible is very possible. It requires attention to detail and understanding the processes. Do not let it scare you.

This post originally appeared on on Friday, October 13, 2015 as part of the AVNation’s 31 for 31 during October.

A jarring question but an important one. This question can be scary to think about at times but it needs to be addressed and thought about. For many in the AV industry the laptop is the tool of the trade. It is used to configure DSP engines, program control systems, and often calibrate the system. That is in addition to the key tasks it plays in business as being the e-mail, billing, and documentation tool.

Most people I have asked this question indicate that they have everything backed up to a USB thumbdrive. So then I ask the next important question, where is your USB thumbdrive? About half the time it is in their pocket the other time, it is in the laptop bag. So while that USB thumbdrive may help mitigate computer failures it does not address the loss of the laptop bag itself.

The part that most people miss is that-*when a laptop disappears a data breach just occurred. Let me repeat that, the data on the now missing laptop has most likely been breached. Typically people have lots of information on their laptop that they have not considered. The main ones to consider are passwords, account information and e-mails. Many people use the convenience feature of having a website “remember” their credentials. My first concern for the types of websites being accessed is of course the banking, travel, and shopping websites. That completely overlooks things such as possible network credentials for VPN that would let miscreants easily access to your company network.

United Login Screen with a highlight around the words Remember Me
Website option to remember the user.

There are some relatively easy things that can be done to prevent this situation. The obvious one is to not lose your laptop bag. The next-*is to encrypt your hard drive. Encrypting your hard drive limits the ability to access-*your hard drive by a nefarious person. The second one is to not have your browser store your login passwords. Something I have found out is that after an upgrade of a browser, your preferences may get changed. This one is especially important if one follows the other alarming trend of using the same passwords in multiple places. Most of us have already thought about that step but then become complacent and frustrated by remembering all the passwords. Using a spreadsheet that contains all the passwords and account numbers is not-*the answer. A password manager will greatly help with this task and insure that you are using strong passwords. For various reasons I recommend against ones that store your passwords online. There are many available but comparing and contrasting them is for another blog post.

Screenshot showing the option of Firefox browser option to save passwords
Firefox Settings
Screenshot of Google Chrome browser with a highlight on unchecking save password option
Chrome Settings

Another thing to be aware of is that Chrome saves your AutoFill information, which quite often includes your mailing address. Please consider whether or not you want to store and possibly share that information. Also, if you store a password in Google Chrome it is also stored on Google’s computers as well as available on the Internet at-*

Highlighted informramation of Google showing Autofill options
Chrome Autofill options
Chrome Saved Passwords screen with a highlight around the save password option
Chrome Website Passwords Options

The option to me that is most effective is Two-Factor Authentication, often abbreviated as 2FA or TFA. Not every application supports this feature, and many of the ones that do are web based. This process requires two pieces of data in order to be able to complete a login, or authenticate into the system. The two most common ways to do this task are-*either using a token or having the service send you a message to confirm that you are making the request. Examples of these processes are PayPal sending a text message to a user that needs to be entered. The other typical case is using a token generator; an example of this approach is Dropbox if 2FA is enabled. The token generator can be installed on a device such as a smart phone, the generator then needs to be configured to work with the website.

Dropbox Option to trust the computer
Dropbox Tow Factor Token
Screen shot of Google Authenticator app with multiple token values shown
Google Authenticator on an iPhone
Screen Shot of PayPal two factor authentication window
Paypal Two Factor Text Message

Two factor is a great tool to make impersonating you harder. This idea is also predicated on the idea that your token generator is not in your laptop case at the time of loss. Typically there is a weakness of allowing a computer to be remembered and validated as shown above. That setting basically turns off two-factor authorization on that computer.
An important thing to have is a way to deauthorize your computers. The same way one would call the credit card company to turn off a credit card that has been lost, one needs to do that for the missing laptop as well. To complete this task one typically needs another computer and the credentials to be able to login and deauthrorize the accounts in question. Most applications will also allow you to see the last time that device was connected to the service.

Tool to deauthorize Dropbox on other devices
Dropbox Tools including de-authorization options

I hope this helps you. Make sure to check with your company’s IT department to see if they have plans in place for a lost device. Remember, security is a process not a destination. It takes constant attention to remain safer.