Tag Archives: privacy

Now accepting more cryptocurrencies

A recent change in the Stripe API, accompanied by a shift in Stripe’s handling of Bitcoin has prompted us to switch to CoinPayments.net directly for handling cryptocurrency. Payments processed through the CoinPayments.net gateway will still ultimately be processed by our CoinBase account, but will no longer be initialized via Stripe.

On the checkout page, CoinPayments.net is now listed as an additional gateway. Selecting that and clicking Place Order will transfer you to a page hosted by CoinPayments.net, where you may select Bitcoin or another one of a number of different cryptocurrencies.

Please note that as a result of this change, the Bitcoin Payment Policy has been superseded by the new Cryptocurrency Payment Policy (though the former will remain available for historical purposes).

A Note about Third-Party Components in ArcaOS

You may be aware of the recent massive Equifax security breach and the Company’s explanation surrounding a vulnerability in Apache Struts (CVE-2017-5638) disclosed by US CERT in early March 2017. Some reports have implied that the company has somehow blamed Apache Software Foundation for the breach, specifically by not moving quickly enough to address the security flaw. Apache has responded to these allegations clearly and concisely. In light of this incident, we thought this a good opportunity to help provide some clarity concerning third-party work and open source components, in general, as they pertain to ArcaOS and Arca Noae’s position regarding their fitness for use, and who is ultimately responsible to maintain his or her or, in the case of enterprise use, its own systems.

Arca Noae includes several components in ArcaOS developed by reputable third parties, including IBM, Apple, and others. Some of these components are open source, as well, meaning that the code for compiling these components into machine-readable form is freely available to the public. Open source software is often more secure than proprietary software, by nature of the fact that many (sometimes thousands) of developers around the world contribute to the code. This (often massive) group effort allows such projects to react quickly when flaws are discovered, and to work to constantly monitor and maintain the software. However, whether proprietary or open source, Arca Noae may have no control whatsoever over these components, inherent flaws, or as-yet-undisclosed security issues.

It is Arca Noae’s position that each ArcaOS licensee (whether an individual or an enterprise) bears the sole responsibility to consider his or her or its own interests and security. While we do what is within the realm of reasonable possibility to stay abreast of current trends and vulnerability disclosures (CVEs), we cannot guarantee that all issues will be identified and/or reported to our users by us. Thus, best practices dictate that each user remain vigilant and aware of the connected ecosystem in which we live and to take steps to mitigate his or her or its own risks.

Arca Noae welcomes reports from our users of disclosed and non-disclosed vulnerabilities. While we normally encourage our users to avail themselves of our Mantis ticketing system to report issues, those of a sensitive nature (such as an as-yet-undisclosed or little-known security flaw in a bundled component) should be reported through our contact page.

We would also like to take this opportunity to remind all of our ArcaOS licensees that ArcaOS does not utilize telemetry of any kind to communicate with us. We firmly believe that when a user licenses a copy of ArcaOS, his or her or its data should remain on the system as directed by the user, shared only by the user, and with the user’s full knowledge and consent.

The next exciting update to ArcaOS 5.0 is in the making, too. Watch the Arca Noae blog for a release announcement in the coming weeks.

How ArcaOS addresses privacy and data security

Personal computers have come a long way since the 1990’s, and today, it seems like everything wants to connect to everything else – even when we don’t want that to happen. Worse yet, it seems that device manufacturers and software publishers aren’t satisfied with a simple product purchase or licensing fee; instead, they seem to want to harvest your personal information and either use it market more stuff to you or even sell it to unknown third parties.

Arca Noae understands this, and we respect your privacy. ArcaOS evolved from roots which predate this overly-connected ecosystem in which we find ourselves today. While there are some trade-offs for the insulation which that affords the user, we believe that these trade-offs are well worth the effort.

Here are some of the things which ArcaOS 5.0 either doesn’t have or doesn’t do. See if you don’t agree that when compared to some other operating system choices you have, ArcaOS looks like a much safer bet:

No Adobe Flash Player. Over the years, Flash has become a major attack vector for compromising not only the browser (when run as a plugin), but the entire system, planting many spyware elements on the system to beacon the user’s actions elsewhere or serve as a path for infecting other systems – regardless the antivirus or antispyware software in use on the system. We made a decision early in the development cycle that as the internet is moving to HTML5 for more native playback of rich media, we would not include such a weakly-secured component in ArcaOS.
No centralized address book. A central address book is a common vulnerability, exposing all of your contacts to discovery (and spamming). There are methods for securing an address book in Thunderbird and SeaMonkey, however. Be sure that if you use anything which stores addresses you keep it password protected with a strong cipher to ward against theft.
No centralized password manager. There is nothing wrong with having a password manager installed, and there are, in fact, several very nice ones which run quite well under ArcaOS. However, why should everyone know which password manager you use? Known exploits could leave you vulnerable even without divulging such information. Because there is no single password manager bundled with ArcaOS, would-be thieves will have to try to determine which application actually holds your valuable information.
Samba 4 file and printer sharing client, including Kerberos and NTLMv2 authentication. No old, weak password hashes for ArcaOS. Instead, Samba 4 utilizes the latest methods for securing authentication to servers and even encrypting data transport to and from servers so configured.
Updates via secure channels, keeping Arca Noae credentials safe. When accessing updates from Arca Noae servers, all transports are done using the HTTPS protocol, and when storing your login credentials in Arca Noae Package Manager, the credentials are actually tied to your local system. It is not possible for someone to steal your configuration and easily decrypt your username and password for your Arca Noae account on another machine.
Arca Noae stores no financial information on our own servers. Should your account credentials actually fall into the wrong hands (a stolen laptop or a careless reminder note), your account information stored on our servers does not include any of your credit card data. We simply do not retain this sensitive information.
ArcaOS doesn’t “phone home.” It’s true. If you ever find yourself stranded on a desert island with just your laptop and a solar panel for electricity, your ArcaOS-powered machine will never complain about not being able to “authorize” the installation for use, because it never looks to contact us. An ArcaOS installation is an island unto itself. It is even possible to retrieve software updates on a single machine and set that machine as a repository for all of the other ArcaOS stations on your network. None of the other systems would ever need to touch the internet to get the latest code.
ArcaOS does not include any trialware or junkware. Many of these applications contact their own publishers over the internet (aside from ceasing to function after a certain period of time). Every bundled application on the ArcaOS DVD is fully functional and fully licensed for use with ArcaOS – forever, with no further registration required, anywhere. None of these applications send information over the internet to anyone else, and are perfectly happy to just run in their own space under ArcaOS, unless you want them to make contact elsewhere. Shouldn’t that always be the case?

This is by no means an exhaustive list of how ArcaOS was designed to keep you safe in our overly-connected world, but merely a starting point for discussion and consideration. All that, and we managed to keep the introductory pricetag under a hundred bucks. How’s that?

EU-US Privacy Shield – Status Report

If you are a resident of the European Union and a customer of ours, chances are you have been watching (or at least are aware of) the situation regarding data transfer policy between the EU and the US.

On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-US Safe Harbor arrangement, determining that the Commission’s finding that Safe Harbor was adequate was, in fact, inadequate. More on this decision may be found here.

On February 2, the US and the EU reached an agreement in principle to construct a framework to replace Safe Harbor and to reconcile differences between the laws of both governments. That framework has been named the EU-US Privacy Shield. In response to the agreement, the US Department of Commerce released a fact sheet, which we are making available as a pdf, here.

As the new framework promises to have farther reaching implications for how personally identifiable data is handled by third parties, we have contacted both of our current payment processors (Stripe and PayPal) for their comments. While we are still awaiting comment from PayPal, Stripe has responded that they, too, are monitoring the situation, but have not yet made any changes to their policies or procedures, pending more concrete guidance.

We want you to know that we take the privacy concerns of our customers very seriously, and we will continue to monitor this and any other legislation which may have an impact on doing business with us, whether you are located within the US or anywhere in the world. We believe that our current privacy policy remains in accord with the spirit of the new EU-US Privacy Shield as we anticipate it, but we will keep you apprised of the situation and will make adjustments as necessary.

More information and commentary on the EU-US Privacy Shield may be found on these sites:

Digital Media, Technology & Privacy Alert >> Agreement on EU-U.S. Privacy Shield to Replace Safe Harbor Faces Hurdles, Kibel, Gary A, Partner (Digital Media, Technology & Privacy), Davis & Gilbert, LLP, February 4, 2016.

Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement, Tielemans, Jetty and Steinhardt, Ezra (Data Privacy and Cybersecurity group), Covington & Burling LLP, February 2, 2016.

Bitcoin now accepted

For those crypto-currency lovers in the OS/2 universe, we are now proud to announce that Arca Noae is able to accept Bitcoin as a method of payment. Simply select the option to use Credit Card or Bitcoin (via Stripe), and click the Bitcoin option in the popup window during checkout.

Please note our Bitcoin Payment Policy Addendum to our Acceptable Use Policy for important terms and conditions before purchasing with Bitcoin.

Privacy Policy Update

In response to visitor feedback, we have clarified the portion of our Privacy Policy concerning use of Google technologies.

To summarize, while we have not knowingly enabled any Google technologies on our site, such technologies may be enabled by third-party components which we employ and of which we may be unaware. If we do choose to employ any such technologies, or if we become aware of a third-party component which utilizes them, we will take reasonable steps to provide advance notification.

We invite you to revisit our Privacy Policy and provide us with your comments.

Privacy & Acceptable Use Policies

We at Arca Noae are firm believers in protecting your data while accessing any of our hosted services. This is especially true of your online shopping experience. You should know that we employ up-to-date builds of software technologies designed to keep your information secure while visiting us. We invite you to read our Privacy Policy and our Acceptable Use Policy, and know that we stand behind our words.