Category: security

Is Facebook deceiving you?

Here is a really good article from the Electronic Frontier Foundation (EFF) about deceptive user interface practices.  The funny thing about all of this is that people are missing the most offensive and dangerous part of Facebook’s warning:

So in other words, they’re going to violate your privacy no matter what you do, because your friends are going to divulge your information.  Put another way, you may end up divulging your friends information.  What can you do about this?  Don’t share that much information with your friends.  But you say, “They’re my friends!”  Of course they are, and they probably already know most of the information you would share, anyway.

How to do this?  Go to the following part of the site:

Privacy Settings -> Personal Information and Posts

as well as

Privacy Settings -> Friends, Tags and Connections

Then consider each category.  Here comes another wingdinger: in order to keep something to yourself, either you must remove it entirely, or select “Customize” and then “Only Me.”  You can’t just pull down “Only Me.”

I’m seriously considering being through with Facebook over all of this.

What are your thoughts?  Take the OfcourseImRight poll.

How do you manage your privacy on social network sites?

View Results

Loading ... Loading ...

A social network not to be part of

We’ve discussed the unintended evils of social networking sites in the past.  But here is a story about a “Social Networking” site that seems to have intended evils.  The site, which I won’t name, uses video cameras, and people are randomly connected to one another.  You can then chat with the person, click “next” to go to the next person, or report the person for inappropriate content. Doing so blocks an individual for about 10 minutes.  When a friend of mine told me about the site, I thought it was an interesting concept.  But then he told me that what he saw quite often would disgust most any normal person.  And then he told me that he saw young children using the program.

This raises all sorts of questions:

  • Where the heck are parents of such children, and why would they ever let them near this type of “social network”?  Where’s the little report button to report them?
  • As someone who believes in free speech, if the primary use of a technology is to violate the law, in this case child protection laws, perhaps I’ve just found my limit.  If we look at how Napster fared in the courts, because their business model was predicated on breaking the laws, in the end they had no legal defense.  Can this business argue that they have a viable model, absent the lurid behavior being demonstrated?
  • Even if they claim to have such a valid business model, should this site be required to exercise due diligence in protecting children?  A report button that knocks someone off for 10 minutes doesn’t seem like much of a deterrence.  How about the report button sending identifying information to the service so that they can review the video, where it could be used as evidence in a prosecution?

Here’s one reason I won’t go to the site in question, and neither should you: what if law enforcement finds even a hint that you’ve been there?  Could this be turned around such that you could be assumed to have participated in a lewd act in front of a minor?  After all, we’ve seen other instances where the presence of porn was enough for someone to lose his job and face prosecution.

How Important Is Your EMail Address To You?

Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like.  Others just use SMS, where their cell phone number is the important for people to reach them.  For some, however, their email address is their identity, and their only means of being reached by friends and family.  That’s true for me, at least.  I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use.  This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.

If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint?  Why would you want to do this?  Let’s look at a few cases:

  1. Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else.  What happens if you decide to change ISPs?  Do you lose your email address?  And do you care?  Can someone else get your old email address, and what are they likely to receive?
  2. You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into.  The first thing the bad guy does is change all of the security questions that are meant to cover password recovery.  How, then, are you able to prove to the service provider that the account was yours in the first place?  Can you even get your old account shut down, so that the attacker can’t masquerade as you?
  3. This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account?  Who do you go to in order to prove that you are the legitimate owner of the account?
  4. Your mail service provider goes out of business, and the domain they have been using for you is sold.
  5. There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off.  It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.

For all but the last case, you have a way of  at least mitigating the problem by have your own domain name, like ofcourseimright.com.  That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain.  However, is this just moving the problem?  It could be if someone breaks into a registrar account that is not well secured.  However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).

The hard part is finding someone to host your domain.  This sounds like a royal pain in the butt.  And it is!  So why not just use your cell phone or a social network site?  Cell numbers are at least portable in many countries.  Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen.  Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.

My online identity is tied to...

View Results

Loading ... Loading ...

Get mad? Get Even? Or get up and running again?

When a system is broken into, the management often has a choice to make: should they take some time to try to figure out who was behind the break-in, should they bring in the police, or should they just clean up the mess that they find and move on.  This is the choice that the City of Norfolk faced when a time bomb clobbered 784 systems, according to this blog.  Debugging and understanding how a break-in occurred is a bit of a black art unto itself, requiring a substantial amount of expertise that focuses on the innards of Windows, and it requires time for the experts to track back what they think the source of the problem is, and even then the ability to do a trace may not be possible.  For one, it depends on what sort of forensic evidence can be found within logs, whether those logs themselves have been tampered with, and what sort of backups were taken of the systems involved.

Here’s the problem with not trying to trace back: the miscreant who screwed you the first time can do the same thing again, using the precise same attack vector.  At the very least it helps to have relationships with your security vendor to be able to report the problem, but as defenses get more complex, our continuing game of Cat and Mouse demands that so do the attacks.  An initial attack vector might itself lead to the use of secondary means to attack.  For instance, probing attacks work very poorly against a walled off Intranet, and in fact can be a means to alert The Guys In White Hats that the probing system has been broken into.  However, the likelihood of that happening from within the Intranet is smaller.  What’s more, as white collar criminal investigators know, one cannot rule out the possibility that someone on the inside will in fact have gotten things going.

This supports the whole notion of what Cisco calls Borderless Networking. That’s a marketing mouthful for a concept that Steve Bellovin articulated many many years ago, which says that bottleneck firewalls are going to need to give way to more sophisticated forms of defense on devices themselves.

A combination of good backups and logging to secure systems might have helped.  Logs give some notion as to who did what when, assuming that you are logging the right things.  Backups provide you a means to preserve state.  This works in three dimensions: you can, perhaps even incrementally, look back into the history of a system for forensic purposes, you can preserve a crime scene through a very low level backup, and you can get back to a known good state.

Saddle Up, Boys: Iran is Next

It seems to me that back in the 1940s when the U.N. Security Council was formed, its purpose was for governments to work out differences before one decided to take unilateral action.  This seems to have never worked well, our latest example being the disingenuous Chinese who feign interest in diplomacy with Iran, when it has become perfectly obvious to even the most casual observer that Iran will not give up their pursuit of nuclear weapons.

But is it the Security Council that is failing, or is it just the way we deal with it?  When the same block of characters (and we can expect Russia to join in the obstructionism) constantly put commercial interests in front of greater protection of societies, perhaps the best way to deal with them is to ignore them and proceed blockades, sanctions, and limited military actions, as may be appropriate.  The lawless government of Iran must be checked with first the real threat of such actions, and then actual, well, actions that support principles long mouthed by all, and practiced by few.  Is this cowboy diplomacy?  You bet your sixshooter, but it’s not like any other options are being presented by our so-called partners in peace.

It’s time to take on not only Iran, but clear misbehavior on the part of those who sit in the Security Council.