If you want to comment on one of the blog posts, you can use the site’s contact form. If you tell me that you want your comment to be public, I will consider adding it to the post in question.

Heute habe ich mich entschlossen, diese Website an die Datenschutz-Grundverordnung anzupassen. Keine Cookies, kein Google Analytics, keine Verarbeitung personenbezogener Daten und keine Logdateien. Dies ist eine einfache persönliche Homepage und ich brauche das alles nicht wirklich.
Ich hoffe, dass die Website damit den Anforderungen der DSGVO entspricht, kann mir aber nicht sicher sein, ob mich das in unserer schönen regulierten Welt tatsächlich vor allem juristischen Fallstricken und Abmahnwellen schützen wird.
Ich fürchte, das ist alles, was ich derzeit tun kann, um mich zu schützen. Ich würde sonst viel Zeit investieren müssen, wie zum Beispiel in das Verfassen einer langen wasserdichten Datenschutzrichtlinie. Auch müsste ich den Zweck aller Cookies erklären, eine Opt-Out-Technologie dafür bereitstellen. Ein SSL-Zertifikat ist bereits installiert, um persönlichen Daten in Kommentaren und Kontaktanfragen zu schützen.

Wer einen der Blogposts kommentieren möchte, sollte also das Kontaktformular der Website verwenden. Der Kommentar kann dann gegebenenfalls zum betreffenden Beitrag hinzugefügt werden.

Folgende Maßnahmen werden erwartet:

1. Google Analytics tracking code um die Funktion AnonymizeIP erweitern
2. Schriftlichen Vertrag mit Google zur Auftragsdatenbearbeitung abschließen
3. Datenschutzerklärung der Website ergänzen
4. Alte Google Analytics Profile löschen

Warum das alles?

Ich bin sehr besorgt um meine Privatsphäre im Internet. In all meinen Web-Browsern sind 3rd party cookies deaktiviert, ich lösche ohnehin alle Cookies regelmäßig, verwende AdBlocker und NoScript, und ich habe viel Zeit mit den Facebook-Einstellungen verbracht, nachdem mein Profilbild ohne meine Zustimmung in einer Werbung im Online-Telefonbuch erschien.

Ich bin trotzdem der Meinung, dass die o.g. Maßnahmen wenig Sinn machen. Fast schon grotesk.

Es geht vornehmlich um die Anonymisierung der Benutzer IP-Adresse, weil IP-Adressen einen Benutzer persönlich identifizierbar machen und auch der Standort des Benutzers ersichtlich ist. Ich werde deshalb lediglich auf den ersten der vier genannten Punkte eingehen. Wer allgemeine Kritik auch zu den anderen Punkten sucht sei auf den Internet-Law Blog verwiesen.

Mit der AnonymizeIP Funktion im tracking code soll eine „Anonymisierung“ der IP-Adresse gewährleistet werden.

Dazu muss man folgendes wissen:

1. IP-Adressen können nur vom Internet Service Provider (ISP) einer Person zugeordnet werden. Firmen wie 1&1 werden Google auf Anfrage sicher nicht den Namen ihrer Kunden mitteilen. Da müsste Google schon selbst der ISP sein, das käme aber für mich genau aus diesem Grund sicher nicht in Frage.

2. IP-Adressen identifizieren das client-Ende einer TCP/IP Verbindung. Das ist heute i.d.R. ein Computer oder ein (DSL-)Router. Hinter einem Router können sich viele verschiedene Computer verbergen, und jeder davon kann von mehreren Person verwendet werden. Wer meine IP auswertet, wertet demnach das durchschnittliche online-Verhalten aller Personen in meinem Haushalt aus, nicht mich persönlich. Auf meiner Arbeitsstelle teile ich die öffentliche IP Adresse unseres Proxy-Servers ohnehin mit mehr als 1000 Kollegen, also auch hier kein „personal tracking“.

3. Es ist technisch nicht möglich, die IP Adresse vor der Übertragung an Google zu verändern. AnonymizeIP sorgt lediglich dafür, dass der tracking code Google auf die erforderliche Anonymisierung hinweist. Google hat sich verpflichtet, in diesem Fall das letzte Octet der IP Adresse vor der weiteren Verarbeitung der Daten (bereits in Europa) zu entfernen. Damit kommen 255 verschiedene IPs in Frage. Data mining Spezialisten können mit einer verkürzten IP zwar weniger anfangen, nutzlos ist sie dennoch nicht. Zusammen mit anderen tracking Parametern kann ein anonymes Benutzerprofil relativ einfach erstellt werden. Für den Versuch, diese Daten einem bestimmten Computer oder Router zuzuordnen, sollte die Zahl 255 keine allzu große Hürde sein (Stichwort EverCookie).

4. Google verwendet die IP Adresse für die (mehr oder weniger ungenaue) Bestimmung des Ortes, von dem aus der Benutzer eine Website verwendet hat. Diese Orte werden in den Statistiken angegeben. Das letzte Octet zu entfernen, wird die Genauigkeit der Ortsangabe in vielen Fällen gar nicht verschlechtern. Es wird ohnehin nicht der Standort des Benutzers ermittelt, sondern der seines ISP, und der ist für alle 255 anonymisierten Benutzer gleich.

5. Viele Benutzer haben wechselnde (dynamische) IP-Adressen. Meine private öffentliche IP Adresse ist die eines 1&1 Servers. Sie wechselt täglich, und das nicht nur innerhalt des letzten Octets.

Mit anderen Worten… viel Wirbel um Nichts. Ich sehe jedenfalls meine Privatsphäre auch dann nicht in Gefahr, wenn Google meine vollständige IP-Adresse erhält. Zum Glück hat dieser Auswirkungen keine unmittelbaren Auswirkungen auf die Funktionalität und Benutzerfreundlichkeit einer Website. Lediglich die Datenschutz-Informationen werden nochmals komplexer und umfangreicher, was lediglich dazu führen wird, dass sie noch seltener gelesen werden.

Apple’s developer support avoids clear answers on questions about the guidelines. If your question is a tricky one, they will much rather refer back to the guideline or recommend you simply submit you app and give it a try.

When an app is rejected there is often only a very general statement about why this happened. Usually it’s just a boilerplate message referring to a section in the guideline, including a brain dead recommendation to rectify the issue, like taking out a feature altogether.
The most annoying experience I had with Apple recently was a discussion on the phone with an employee who suggested that closing an app programmatically may be acceptable if we were to change it from a free app to a paid one. The app concerned is a free program to promote a pharmaceutical product with a cool Google Maps based reporting tool. Being a pharma app, the tool must have a one-time disclaimer message which the user needs to agree to before using the tool. But what if the user does not want to accept the terms? We thought it would only be logical to close the app, even though this may not be in compliance with Apple’s interface guidelines. The app was nevertheless accepted on first time submission. The rejection occurred however when we uploaded another release about one year later:

Don’t Quit Programmatically!

We decided not to accept this decision and started a debate, telling Apple that pharma market conditions require promotional tools like apps to be very clear about the legal frameork they operate under. There must be Legal Terms, and if the user rejects them, the app must dutyfully close. That’s what our users expect. If we let them end up in a you-must-accept-these-terms loop, they might feel like being tricked into accepting something they don’t like. Also, there are multiple apps out there which terminate when you reject the one-time disclaimer.

After having read our justifacation, Apple decided to escalate the issue. I received a phone call from an employee who did not seem to be very interested in discussing the Guidelines and our initial response. Instead, he suggested that closing this app would make more sense if we were to charge for it, „like 99 cents“.
What? Why would a charge justify this? I tried not to express my annoyance and I explained in much detail that this is a free promotional tool, and that under no circumstances we would ever charge for it. The Apple person patiently listened, but his response was no more than a suggestion to resubmit the app and await a decision. I thought „That’s it“. The app will never get approved again. All that money was wasted. So I once again tried to convice this guy, no less dedicated, and no less detailed. He again listened patiently, he again did not comment, and he again just recommended to resubmit.

Guess what happened? When I resubmitted the app, it was approved in no time. I of course cannot tell whether it was Apple’s sole intention to change the app into a paid one, but what I was told during this phone call made no sense to me at all.

DSL 6000 funktioniert noch nicht 100%. Anscheinend wird die Bandbreite auf 3456 kBit/s gedrosselt. Ich habe den 1&1 support gebeten, das zu korrigieren. Die FRITZ!Box hängt im Netzwerkschrank im Keller. Tolles Gerät mit vielen features. Endlich haben wir den beiden großen Kindern auch ihre eigenen Rufnummern und DECT Telefone verpasst. Kein stundenlanges Blockieren der Leitung mehr.

Ich habe Perl scripts geschrieben, die via HTTP ein mal täglich mit der FRITZ!Box verbinden. Ein script liest die ein- und ausgehenden Anrufe aus und speichert die neuen Anrufe in eine CSV Datei. Ein anderes script liest die öffentliche IP Adresse aus, schickt sie mit HTTP an meine dynamic DNS provider (selfhost.de, dyndns.com) und mit FTP an eine Seite auf meiner Website. Ich weiß dadurch immer, wie ich meinen Laptop im Keller erreichen kann, auf dem die Photovoltaikdaten gespeichert und auf einer nicht-öffentlichen Website angezeigt werden. Alle paar Stunden werden sie von dort auch auf die soldierer.com Photovoltaikseite übertragen.

Der WLAN Empfang reicht leider nicht bis in den Garten. Ohne Repeater ist die Reichweite bescheiden, noch nicht einmal vom Keller in die erste Etage. Zum Glück haben wir in allen wichtigen Räumen LAN Dosen. Typisch Deutschland… alles was funkt muss so schwach wie möglich sein. Das Signal wird von den Stahlbetondecken geschluckt.

Das Web-Interface des Routers ist gegenüber der alten Version deutlich verbessert worden. Auch wartet die Hardware der FRITZ!Box mit einer Reihe nützlicher Neuerungen auf. DECT Telefone können z.B. direkt mit der Box kommunizieren, und ein USB Anschluss ermöglicht das Anschließen einer externen Festplatte oder eines Druckers.

Alles in allem eine lohnenswerte Investition. DSL 6000 flat rate (hoffentlich bald auch in voller Bandbreite), Telefon flat rate, Handy Deutschland flat rate, 4 VoIP-Telefonnummern mit eigener mailbox, toller Router, und alles zu einem Preis mit dem ich zu meiner Studienzeit noch nicht einmal die Telefonkosten decken konnte.

Computer and network security is a big issue, don’t underestimate the risks. I first noticed this years ago when I installed a free personal firewall on my PC. Only seconds after the program started to do its job, it alerted me of suspicious activity on ports and protocols that I even didn’t know existed. Steve Gibson calls this activity Internet Background Radiation. Much of this is not merely junk but malicious traffic. To protect my personal computers, data, and privacy, I have taken a number of simple security measures which I want to share with you.

Hardware

Use a router
No matter whether you have a cable, DSL, or ISDN connection, buy a router and let it block all unwanted traffic. Modern routers include a hardware firewall which will close or „stealth“ all machine ports that do not need to listen for incoming network traffic. Make sure that all network ports are stealth (invisible), or at least closed (unresponsive). You can use the Shields Up online tool to challenge your computer’s ports.

Security tokens
Paypal/Ebay implements two-factor authentication. For very little money you can purchase a small device (see image above) which generates a unique key each time you log in. So even if somebody knows your password, they cannot log into your account because they don’t know the extra number which changes each time. Verisign offers a similar system which you can use to secure your OpenID account. Many online banks have similar tokens or devices that generate one-time keys using the bank’s card.

Encryption

Use encrypted connections to the Internet whenever possible. If a web shop or service offers a secure (SSL, https) connection, use it. Try to set up your email client with a secure connection (TLS, SSL) to the mail server. Encrypt sensitive emails or email attachments.

If you run a WLAN, encrypt your traffic. Do not use WEP to do this as this protocol can be cracked within minutes! All modern routers have WPA which is much more secure. If your access point and connecting machines support WPA2, often also referred to as AES or CCMP, use this. For regular WPA encryption (a.k.a. WPA1 or TKIP) a vulnerability was recently reported which could allow a hacker to decrypt very small data packets under certain circumstances. With both WPA1 and WPA2 your WLAN is definitely protected from eavesdropping as long as you use a secure password. Generate a strong password here.

My Laptop’s harddisk is encrypted with TrueCrypt [comment Nov 10, 2014: Truecrypt is no longer supported by its developers, see truecrypt.sourceforge.net]. Should it ever get stolen, nobody will be able to see the data.

I never connect my private Laptop to a wireless access point in an Internet Café or hotel. On my company Laptop I can use a secure VPN connection. If you don’t have company VPN, use a service like OpenVPN to get your data encrypted before it is aired on an insecure WLAN.

Software

Operating system updates

Always install all security patches immediately.

Firewall

Since service pack 2 of Windows XP every windows machine fortunately runs Microsoft’s software firewall. It only blocks incoming traffic though which is why I run the Sygate free software firewall. Sygate alerts me when a program on my computer wants to connect to the Internet. I would therefore be able to quickly identify and block any trojans that try to phone home. Once malicious software finds its way into your computer it can disable the software firewall. A hardware router therefore provides better protection.

Antivirus programs

I run Avast free Home Edition on my PC. Needless to say that every computer should have Antivirus software installed. Computer viruses ar no longer ditributed via floppy discs or email attachments. Most infections happen on websites these days so you better have virus tool scan the incoming traffic

Anti Malware tools

Next to Avast I run Spybot Search & Destroy. There is much more junk out there than just viruses.

Virtual machines

A virtual machine will protect you from any damage caused by viruses and malware because it is a self-contained operating system environment which can be easily reset to a previous state if it was compromised. If you like to surf the darker corners of the Internet, get yourself a copy of VMware.

Web browser

Use the most recent version of your web browser of choice. Don’t stick to older versions as they have known security vulnerabilities that got fixed in more recent releases. Configure the browser to block 3rd party cookies. Delete permanent cookies from time to time. Do not allow unknown or even dubious websites to run Javascript in your browser. Use Internet Explorer’s trusted zones or the Firefox NoScript add-on.

Secunia PSI

This useful tool helps you to always run the most recent and secure versions of software. It scans your PC and reports programs that should be updated.

Good security practice

A number of additional simple measures will significantly increase your security and privacy.

Do not work and surf with your computer’s Admin account, create a less privileged user account.

Make your hosts file read-only to prevent malware from tampering with it.

To prevent keystroke logging, copy-paste user names and passwords, don’t type them.

To prevent cross site request forgery, log out on a passwor protected website before you surf to another one.

Bild von Monfocus auf Pixabay

In an effort to meet accessibility requirements, I was looking for tools to check whether users with a variety of color blindness conditions can actually use our websites. Posters and brochures can already be difficult to read for color blind people. On web sites another dimension is added to this problem because certain features may be rendered useless by choosing a bad color palette. Colored links for example, if not underlined, may not be seen as links because they appear to be of the same color as all other text.
When website accessibility is discussed, the focus is usually on screen reader compatibility and blind people. Accessibility issues caused by a bad color palette are actually much more common. In the USA alone there are 3.5 million people with some form of color blindness. Most have difficulties to discriminate red and green hues („red-green blindness“). A website visitor who cannot see the difference between a red word and a green word will not be happy if these colors are used to markup navigation elements or highlight important content. Checking your website palette for such issues therefore is a good idea.

There are online services that accept a URL and return the corresponding web page with color modifications that match a particular color vision deficiency. The modified page is either returned as a web page or screen shot. A standards compliant page may not be returned in a useful format, as some of these services have only limited CSS support.

Examples:

The Colorblind Web Page Filter
Vischeck Webpages

Other services accept an image file and return its modified version. While this method requires a bit more work to create, save, and upload a screen dump, it produces much more reliable results.

Examples:

Color Blindness Simulator
Vischeck Images

If you prefer to install your own tool, try Colorfield Insight, a Photoshop plugin. There is also free software available to convert web pages into what will be seen by a color blind person. ColorDoctor from Fujitsu works great!

Testing your sites for color related accessibility issues (contrast, brightness, color blindness) is not a low priority thing. It should be part of your regular review and sign-off procedures.

Looking at the actual numbers, mobile web access is only about 0.3%, so still plays a minor role. However, the Net Applications data support common belief that mobile devices will be widely used to surf the web when they provide a better browsing experience.

It is estimated that 3 billion mobile phones are in use today, and only about 1 billion PCs. Yet almost all web browsing is done on PCs. Why?

The conventional 1.5 x 2 inch screen on most mobile devices is just too small. According to Mobref.com, more than 60% have a horizontal screen resolution of 176px or 128px, or even less. Most web sites do not offer a mobile interface. Viewing such sites on a 1.5” wide screen requires lots of scrolling. Unless a phone is 3G, data transfer is slow. Even with an iPhone which is not a 3G phone yet, surfing the web is reported to be painfully slow using At&T’s mobile connection (EDGE). Only with its WiFi option, the iPhone provides fast enough web browsing.

Phones will become more powerful, with faster access, larger screens, and better web browsers. Mobile Internet access will become cheaper, too. I strongly believe that despite current low mobile access stats, web site owners should no longer hesitate to build a site version that supports mobile devices. If your site is not web standards compliant yet, make XHTML plus CSS your first priority. Unless your site targets a mobile audience, there is no need to have a tailored version for all of the 50+ different mobile browser models out there today. One style sheet that optimizes the site for mobile access can easily be implemented and for most sites would make a huge difference already.

The W3C has published mobile web best practices. Testing your site with Ready.mobi will reveal key areas for improvement.

I also set up encrypted hard disk drives for private data on my desktop machines at home. I once had to send a defective hard disk back to the manufacturer for repair. A nosy mechanic would not have found anything other than a boring C: drive with Windows XP and some programs on it.

On the USB mass-storage device that I always carry on my key ring at least one file is encrypted. It contains many different login passwords and other secret information that I need to have access to no matter where I am.

Great free software is available to encrypt entire hard disks, partitions, folders, files, and emails. This is the first post of an encryption series that will explain what software I use on my Windows XP machines. The programs I use are available for Linux and Macintosh computers, too. And they are all open source which to me is the most important reason for not using commercial software for encryption. I trust that many cryptographers have already inspected the code to make sure that it does not contain any weaknesses or backdoors.

Free encryption software (2): File encryption on USB flash drives

Free encryption software (3): Hard disc encryption

Free encryption software (4): GNU Privacy Guard

Not many mobile phones in use today offer decent internet browsing like Apple’s iPhone or recent Nokia models. Surfing the web on an iPhone is easy because it uses a full featured Safari browser and can flip to portrait view when the phone is turned 90 degrees (accelerometer).

A significant part of all web surfing will be done on mobile devices only if and when:

1. most important web sites have (CSS driven) mobile interfaces
2. mobile devices have larger displays and regular web browsers (good bye WAP)
3. prices for 3G phones come down to $200-250
4. high speed mobile internet access at affordable flat rates

Most web site owners today are not willing to invest lots of recources into building a number of tailored mobile web interfaces that suit different mobile devices. When mobile devices have standards based web browsers  there will be a need for only one such interface, if the site’s main interface is not sufficiently compatible with mobile phones already.

Thanks to mofuse.com this blog has a mobile interface, too: mobi.soldierer.com

t.b.c.

At a conference last week I met Simon Revell, a Pfizer UK employee who had successfully helped implementing enterprise 2.0 in his organization, mainly blogs and wikis. Very interesting presentation.

First of all I was surprised that he is an IT manager, so the IT department brought this project forward, not Marketing, not Communications. I guess it would not have been possible otherwise because there was no social software available in the organisation, Simon’s team simply set up a LAMP open source environment using Drupal and hooked it to the network. Nobody but IT can do this in a company where everything is running on Microsoft technology.

Simon had an interesting story to tell about the difficulties of kicking off enterprise 2 (”Who gave you permission to do this?”), marketing the new “corporatepunks” culture, and getting their blog known to UK and international colleagues to make it a lively communication medium.

You can find out more about Simon.

Definitely check out the “Meet Charlie” presentation created by an IT colleague of his.

Now that Sharepoint 2007 is running more and more corporate intranets, enterprise 2.0 is easier to implement, at least technology-wise. Sharepoint supports blogs and wikis, not feature-rich but good enough to get started. What are we waiting for?