Thursday, December 31, 2009

"Reasonable Expectation" of email privacy extended to workplace

A few months ago personal email was given the same privacy status as postal mail. On December 10th the U.S. District Court of the District of Columbia ruled that an employee's personal email sent on company equipment can have the same expectation - if certain conditions are met. The case was Convertino v. US Dep't of Justice, and stemmed from the DOJ's desire to access personal emails that an employee had sent to his lawyer from work. He argued attorney client privilege, the DOJ argued he could have no expectation of privacy with email he sent from work. The judge ruled that the employee did have a reasonable expectation of privacy. The decision was based on these points:

* DOJ's computer use policy did not prohibit personal use of the DOJ email system.
* The employee took steps to delete the privileged emails promptly.
* The employee was not aware that DOJ's system retained a copy of the emails after he had deleted them.


This is a good thing, but it has downside. If you're employers make it clear that company policy prohibits personal use of company email, absolutely any email sent through your company is fair game. If you don't delete the emails promptly, they could become fair game, even if there is no policy against personal use of email.

The best way to handle the pitfalls of using company email to send personal messages is, don't, but if you have to, this gives you some possibilty of keeping the messages private.

Wednesday, December 30, 2009

He should work for Homeland Security

Frank Janosko was sentenced to 18 months for hacking a prison computer while he was incarcerated at the Plymouth County Correctional Facility (PFFC) in Plymouth, Massachusetts. He was granted access to the "thin client" computer that only ran a program to allow inmates to do legal research. Mr. Janosko used a quirk in the software to send email and find information on over a thousand PFFC employees. I talked Monday about the U.S. government having trouble finding people with cyber security skills. This guys looks like a natural born pentester. Maybe they should hire him.

Tuesday, December 29, 2009

Transportation Insecurity revisited

December 25th, Christmas day. Umar Farouk Abdulmutallab boarded Delta/Northwest flight 253 carrying common, easily detected explosives. The man was suspected to have terrorist ties and was even on the terrorist watchlist. According to some reports his father had reported concerns about his sons radical views.  According to the authorities, they couldn't find enough evidence to warrant placing him on the no fly list.

HIS OWN FATHER REPORTED HE MIGHT BE DANGEROUS!!!!!!!

I could understand not placing much weight on allegations by a business rival, former lover, or something like that, but this was the mans father. If that doesn't warrant extra consideration, what does it take, setting off a bomb?

Oh, wait, that is what it took.

We don't need more manpower for our security. We probably don't need more money. We need fewer people but with more brains.

UPDATE: Two of the Yemeni Al Qaeda leaders responsible for this attack were released from Guantánamo Bay in 2007. They released into Saudi custody, where they underwent (unsuccessful?) rehabilitation. Is closing it Gitmo really a good idea, Mr. President?

Update II: President Obama has recognized the danger. In a statement reported by the AP (via yahoo news) he says,

"It now appears that weeks ago this information was passed to a component of our intelligence community but was not effectively distributed so as to get the suspect's name on a no-fly list. Even without this one report, there were bits of information available within the intelligence community that could have and should have been pieced together."


Again, the problem isn't lack of information, it's communication between agencies and departments within agencies. 8+ years later, and we're still fighting this problem.



[edited at 8:10 am with new information by Bert]
[edited again at 5:05 pm to include Obama quote]

Monday, December 28, 2009

Do you have the skills?

The feds are looking for people with the skills necessary to move the U.S. into the 21st century, cybersecurity wise. If you have the skills to help secure our networks and a security clearance, you can make some pretty good money, even if you don't have a ton of experience. You do have to have some, but the main point is that you have some experience and a security clearance. Cyber attacks have tripled recently, but cybersecurity talent with security clearance is so rare that government agencies and government contractors are fighting for the same people, and the government can't compete.

The governments inability to pay competitive salaries is hurting our ability to protect important data. The problem isn't being able to figure out how the bad guys might get at it, it's in figuring out how to close the holes we can find. And the ability to respond to a breach varies widely from department to department. The State Department has well equipped and trained staff who can respond quickly, determine the attack vector, and plug the hole, then analyze and determine was to prevent similar attacks in the future. The Commerce Department, which handles data every bit as sensitive as State, lacks similar equipment and training. Both suffered serious breaches. State was able to determine how it was done and prevent data theft. Commerce was never able to determine how the attack was pulled off, although they say no data was compromised. But they still replaced hundreds of workstations.

This is a serious problem. Organized crime and hostile governments (note: in this context, all other governments are hostile) are marshalling major resources at cracking the security in U.S. government and private corporate facilities. It is not the governments place to protect private companies (nor should it be), it is of paramount importance that government agencies are able to keep data safe from prying eyes. Their databases contain information that could do irreparable damage to our ability to compete in the marketplace. They contain data on research in all types of technology that we would not want falling into enemy, and maybe not even friendly, hands. If there is any one area we cannot afford for our government to skimp on, it is national security, and part of that is making sure that we have the best cybersecurity experts providing the best policies and procedures for preventing breaches, and when they do occur, detecting, plugging, and cleaning up after quickly and efficiently.

Thursday, December 24, 2009

Merry Christmas, everyone

Or Happy Hanuka. Whatever holiday you celebrate this time of year, enjoy it. I'll be back Monday

Wednesday, December 23, 2009

I guess he's never heard of blinds...

Erick Wililamson decided to spend a morning in the buff packing and drinking coffee. Trouble is, on this fine October morning, two women saw him through the windows of his home, and didn't think highly of his unusual morning ritual. He was convicted of public indecency, but given a suspended sentence and no fine. Not satisfied, Mr. Williamson is appealing, saying he never intended anyone to see him. His lawyer says that neither of the conditions required for an incident to be considered obscene by Virginia law. Those requirements are "an obsene display or exposure"  and must be in a "public place or place where people are present."

I'm no lawyer, but when people see you from the street it seems to me that you should either be putting on clothes or buying drapes. And you definitely shouldn't be singing loudly or rattling things around. And I almost hope an appeals court gives him some jail time and a fine, because he obviously needs to be educated on how to respond to a lenient court.

Tuesday, December 22, 2009

Twitter hacked via email

Twitter was hacked and their DNS data changed. The trick was done through a compromised email account. This isn't the first time something like this has happened to Twitter. It makes me wonder just how safe social media really is, if security failure is just one weak password away.

Monday, December 21, 2009

Netflix: Outing the Gay and Lesbian community since 2006.

Privacy policies - almost nobody reads them. When it comes to social networks and online services they almost all give the service provider the right to release "anonymized" data. Several places reported today that a class action suit against Netflix has been initiated because the data they are releasing can actually be tracked back to the original user. I first read of it in Wired's Threat Level blog, but one of the most detailed stories is at Ars Technica.

It seems the problem stems from a contest Netflix launched in 2006. It released two sets of data for contestants to manipulate. The goal was for someone to design an algorithm that would be 10% better at predicting the reviews a person would make for other movies based on the review they gave movie(s) in the data sets. The problem is, video rental data is legally among the most protected in the U.S. The allegation is that by releasing the "anonymized" data Netflix violated those laws. One of the plaintiffs is an in-the-closet lesbian mother who fears that the data released could out her and have bad effects on her ability to support her family. She has good reason to be concerned. The Netflix context took place a few months after "anonymized" data from AOL was used by reporters to identify AOL users. So it really wasn't very surprising that just a few weeks after Netflix started it's contest researchers were able to identify Netflix users - along with their political leanings and sexual orientation. Oops.

The second part of the lawsuit seeks to prevent the launch of the next contest. Living proof that stupidity is a life long problem (and corporations can live a long time), Netflix wants to provide more "anonymized" data this time. And that data will include zip code, age, and gender. When you combine that with the movie ratings and ID numbers it will be more than enough data to ID Netflix customers. Again.

The bad thing about all of this...well, one of the bad things, is that it has been obvious for years that the traditional 'scrubbing' of data is no longer adequate for anonymizing. Mark Dixon looks into the history of re-identifying data and sees that if data continues to be handled the way it is now, every time any company releases anonymized data they are releasing re-identifiable data.

Unless you are up for canonization by the Catholic Church, that should scare the bejeezus out of you.
<!-- /* Font Definitions */ @font-face {font-family:Times; panose-1:2 0 5 0 0 0 0 0 0 0; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 0 0 0 16777216 0;} @font-face {font-family:Cambria; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-alt:"Times New Roman"; mso-font-charset:77; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:auto; mso-font-signature:3 0 0 0 16777216 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:0in; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Cambria; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; color:purple; text-decoration:underline; text-underline:single;} p {mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Times; mso-fareast-font-family:Cambria; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Times; mso-bidi-font-family:"Times New Roman";} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> Privacy policies - almost nobody reads them. When it comes to social networks and online services they almost all give the service provider the right to release "anonymized" data. Several places reported today that a class action suit against Netflix has been initiated because the data they are releasing can actually be tracked back to the original user. I first read of it in Wired's Threat Level blog, but one of the most detailed stories is at Ars Technica.

It seems the problem stems from a contest Netflix launched in 2006. It released two sets of data for contestants to manipulate. The goal was for someone to design an algorithm that would be 10% better at predicting the reviews a person would make for other movies based on the review they gave movie(s) in the data sets. The problem is, video rental data is legally among the most protected in the U.S. The allegation is that by releasing the "anonymized" data Netflix violated those laws. One of the plaintiffs is an in-the-closet lesbian mother who fears that the data released could out her and have bad effects on her ability to support her family. She has good reason to be concerned. The Netflix context took place a few months after "anonymized" data from AOL was used by reporters to identify AOL users. So it really wasn't very surprising that just a few weeks after Netflix started it's contest researchers were able to identify Netflix users - along with their political leanings and sexual orientation. Oops.

The second part of the lawsuit seeks to prevent the launch of the next contest. Living proof that stupidity is a life long problem (and corporations can live a long time), Netflix wants to provide more "anonymized" data this time. And that data will include zip code, age, and gender. When you combine that with the movie ratings and ID numbers it will be more than enough data to ID Netflix customers. Again.

The bad thing about all of this...well, one of the bad things, is that it has been obvious for years that the traditional 'scrubbing' of data is no longer adequate for anonymizing. Mark Dixon looks into the history of re-identifying data and sees that if data continues to be handled the way it is now, every time any company releases anonymized data they are releasing re-identifiable data.

Unless you are a very unusual individual, that should scare the bejeezus out of you.



Saturday, December 19, 2009

Catching phish

Phishing - the art of crafting a bogus email in such a way that significant numbers of people will click on links inside it, even when they should know the email did not come from the person or group it claims to represent.


First, lets take a look at the information you see when you first glance at the email:


The simple things to look for
The simple things to look for

This one is actually pretty obvious. I've never worked for Schlumberger or belonged to their employee credit union (they do have one), so I can safely assume I have no account data to verify. But if that wasn't enough, looking at the actual 'from' address. The email is supposedly from Schlumberger, but the email address is rrluee@accounts.net. Unlikely to be an address used by Schlumberger. Additionally, the 'to' address isn't my address, but service@orange.fr.


That's all good in a case like this, but what if it's not so obvious? Phishers can forge links, 'to' and 'from' headers, and even the golden 'security lock' that's supposed to tell you when you're connected to a secure site. What if you get emails claiming to be from eBay, or PayPal that don't seem right, but look really good? There are a couple of rules to go by in a situation like that:


First, if they are asking you to click a link to verify an account, they are probably bogus.


Second, never click a link in an email that is asking you to verify anything. Look the companies number up and call them or look up their website in a search engine, but don't use the links or any other contact information given in an email.


Third, if you do click on a link, check the URL in your browser. If you were going to Paypal and get http://www.getstuff.com/paypal you're probably on a bogus site.


I hope this was helpful. Remember, if they want you to provide information via email or a link from email, be wary.

Friday, December 18, 2009

Privacy Rx: Never answer "account verification" emails

A few days ago a doctor at the University of California San Francisco School of Medicine was tricked into giving his email account information. His email account contained some personal data about patients. How was he tricked? The email was designed to look like an official university email. So the first thing to do is put a strong policy in place that the university will never ask for account information through email. Then make sure that everyone knows this.

Well this is a short blurb today, but tomorrow we will go over a phishing email and see how you can detect one.

Who's watching the watchers? The Insurgents.

The Wall Street Journal broke the story. It turns out that high tech comes pretty cheap. Insurgents in Iraq are monitoring some of the data feeds from the U.S. Predator drones using satellite dishes and the $25.95 "Skygrabber" software. Skygrabber was designed to access satellite signals and download data - supposedly legally. Turns out it does a pretty good job of stealing Predator drone data feeds, too.

What confuses me is that the drone feeds are not encrypted. I know military intelligence is supposed to be an oxymoron, but even if interception is unlikely you have to expect it to happen and take steps to either prevent it or make the intercepted data worthless. By strong encryption, for example. So this statement boggles my mind:
The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said.


Ok. You've known about this for more than 10 years, but assumed that the local yokels could not, and would never be able to figure out how to capture your streaming data. Now that's "military intelligence."

To be fair, adding encryption isn't like installing some software, and there are concerns that encryption might cause difficulties in rapid interpretation of the feed data, and in sharing data between services. And that's enough fairness. They've known about the vulnerability for 10+ years, and not only have you not fixed it in the current drone model, it's still part of the design in the new model that is about to go into production. I can see the difficulties of modifying the current design, but to not put encryption on the new model boggles the mind. Hopefully, now that we know people are accessing the drone feeds the new drones will be updated to have encryption.

Thursday, December 17, 2009

rockyou stoned, Facebook infiltrated

Social networking addon site rockyou.com is the latest victim of datatheft. The hacker posted about it on his blog after getting ticked because rockyou was lying about the amount of data that had been stolen. But the worst part was that the usernames and passwords – all 32.5+ million of them – were in plaintext. And there were also logins to 3rd party sites because rockyou allows users to create content for sites like MySpace and Facebook. Judging from the comments the hacker makes, Myspace and other sites may have similar insane security practices. I looked at the rockyou site as soon as I heard about it, and there was a short, one paragraph message to users about the "minor" breach. A few minutes ago I went back and the link - worded the same as before - was several paragraphs and 1 1/2 to 2 pages long. It started with:
Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure. Our users have confidence in our services and we will continue to ensure that confidence is deserved.

Sounds very nice and up-front. And I suppose it is the truth, since it only addresses the services, not the security of the services. Historically, rockyou has been a lot more concerned with talking about how concerned they are with privacy and security than they have been with actually providing it.  In September of 2008 they embarrassed and outraged hundreds of companies that produce Facebook apps by cc'ing them all on an email. They were very apologetic:
On the behalf of RockYou, I want to apologize to all of our publishers for the slip. While it was unintended, it was a material mistake. We take privacy of all our partners very seriously and have reviewed and corrected the process that enabled this. We continue to work hard to maximize results but its apparent we will also need to work even harder to regain and maintain trust. For those of you affected, please email me directly with any questions, issues or concerns. My email is ro@rockyou.com (ro at rockyou.com – yes, i’m willing to share in the pain).

Very nice, and very full of bovine excrement. They did the same thing on November 25th of 2008, and again in Januarly 2009.

As if it's not bad enough to have one of the companies heavily involved with Facebook apps proving that, while ignorance is curable, stupidity is a life long problem, Facebook is being besieged by a new variant of the Koobface worm. Hopefully by now (it was announced a week ago) all of the anti-virus vendors have updated their definitions - if yours hasn't, get a different A/V package. Hopefully all Facebook users have up to date anti-virus. Yeah, right. I'll believe that when I hit the lotto 3 weeks running.

The important details are that the virus is spread by placing a "Christmas video" on your wall. When you click on the video it loads "koobface.GK" and installs it. Then it pops up a captcha for you to solve. It won't go away until you solve the captcha, even if you shutdown and restart. The captcha is actually the last step in creating a new Facebook account, which proceeds to spread the worm.

By their nature Facebook, Myspace, LinkedIn, etc. are high risk, dangerous places. They encourage blind trust in the site, and in other users. Unfortunately that trust plays right into the hands of the bad guys. It is best to put as litte information about yourself as possible and treat links on your wall the way you would treat links in email from people you don't know. Don't "Friend" with someone just because they know someone you do, and use as few apps as possible so you don't sell your friends out. Social networks are fun and a great way to stay in touch with old friends, but like a bazarr in Baghdad, it pays to keep your guard up while you're there.

Wednesday, December 16, 2009

Data Breach Bill passes House

HR221, the Data Accountability and Trust Act, passed in the House December 8th and was referred to the Senate on the 9th. The bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law.

This bit of news got lost in the face of Facebook changes and Google CEO pronouncements. It deserves more attention, and after I've read more about it I will come back to it. Since the bill is going to the Senate, now would be a good time to contact your senator and provide your thoughts on data breach notification.

Tuesday, December 15, 2009

Google CEO scoffs at privacy

Last week, just days after announcing Google Public DNS and raising the question of how much do we really want Google to know about our web activity, Google CEO Eric Schmidt gave us the answer in an interview on CNBC. The answer is, as little as possible. When the CEO of Google basically says, "you have no privacy, get over it" it's time to let him know that it does matter. I'm not too impressed by the way he used the Patriot Act to justify it, either.

Asa Dotzler, Mozilla's chief of community development feels the same way. In his blog he tells people to add Bing to Firefox. You know if Mozilla, one of the opponents Microsoft couldn't quite kill, is suggesting a Microsoft product they have serious concerns. The add-on he links to is here. He also says that the Bing privacy policy is better than Googles, but I don't really see a whole lot of difference on a quick read of both.

I'm sure I'll keep using Google search, if only because I use multiple search engines already. The webs a big place, and most search engines hit spots that others don't - even if it only shows up 4 or 5 pages down - yes, I often go that far down in search results.

The truth is, as much as I don't like Mr. Schmidt's attitude toward privacy, until someone comes up with a new way to do search that out-googles Google, you can't afford to ignore it. But you can let them know what you think about it and hurt they're bottom line by using other search engines more.

Monday, December 14, 2009

Guess who wants to copy Facebook

In a report on modernhealthcare.com (requires registering for free account) we are told that Facebooks new privacy model is a good beginning for the online records for the healthcare industry. And as mixed a bag as the new policy is, they may be right.

Facebook still needs to do some work - how much depends on who you talk to - before their privacy settings will pass muster with most privacy advocates and many users. But the concepts behind them address issues that the medical industry has been saying could not be done. That is, huge numbers of accounts can have individualized settings. With the living proof that Facebook has provided, we may see hospitals and insurance companies providing online records similar to the offerings provided by Google and Microsoft, but with the information entered for you by your health providers. And those providers have more (and more binding) reason to protect your data.

Sunday, December 13, 2009

Facebook's new privacy settings not popular

In my very quick overview of Facebooks new privacy policies I said that overall the changes looked good. I still believe that, but some things that weren't obvious in that quick look shows that it's not all good. While there were some good things done in Facebooks new privacy settings, some things that used to be configurable aren't anymore, and people are complaining. Whether privacy advocates such as the EFF or individual users commenting directly to Facebook, there is definitely a feeling that, while some of the changes are good, some things, especially the transition tool that pops up the first time you log into Facebook after the new settings were implemented, are aimed more at removing privacy than improving it. The transition tool, if it were really meant to improve privacy, should take you through each of the settings and explain what they do so you can make an informed decision. It should at least preserve your old privacy settings. But it doesn't. It selects Facebooks "recommended settings" which happen to be to share everything with the world, or at least that portion of the world that has Internet access. It does give you the option of keeping your old settings, but you have to consciously make the decision and click the selection for each setting, which is exactly backwards of the way it should be.

There are a couple of other options (or lack of options) that are cause for concern. You used to be able to hide things like your hometown and your birthday, but now the only way to hide them is to remove them from your profile. It also used to be possible to tell Facebook not to share information with Facebook apps. That option is no longer available, so now when one of your friends starts playing a game like Mafia Wars it can suck not only their information, but yours, too. That means, of course, that anytime you use a Facebook app you could be giving up all the information of everyone you have on your Friends list. So while overall the changes may have been good, the fact that you can compromise yourself and your friends by loading a facebook app is unforgivable. To make matters worse, the new privacy policy seems to be full of doublespeak that removes privacy assurances while appearing to give them.

I encourage you to go to Facebooks site governance page and tell them you don't approve the removal of privacy option and demand that we be given control of all of our information. Insist that the defaults should err on the side of privacy, not full disclosure. The ACLU also has a petition going to get the privacy settings changed. i would recommend signing it, as well.

Saturday, December 12, 2009

Google Public DNS - Is it worth it?

On December 3rd Google announced their newest service, and potentially the most troubling, privacy wise. Google Public DNS is supposed to be optimized to provide a better DNS service than your ISP can. You might wonder how Google could do that, and why we should - or should not - use Google DNS.

First, it helps to understand what DNS is. DNS stands for Doman Name Service, and is the reason we are able to remember to type http://www.walmart.com instead of having to remember http://161.170.244.20/.  Sites on the internet are actually mapped by IP number. Since groups of 12 numbers can be hard to remember, the Domain Name Service, aka DNS was devised. DNS takes the easy to remember www.walmart.com and connects it to the real IP address of 161.170.244.20. The web wouldn't work nearly as well without DNS. With it, if I don't know a companies web address, I can make a few guesses and probably figure it out. If I had to guess an actual IP address, I'd probably die before I got it right.

The reason this is a privacy issue is that while Google knows an incredible amount about us already because of our searches, they only know what we search for and what we links we click in the results. If you make Google Public DNS your DNS provider, they know everything you do on the web. Every site you go to, every file you download, every streaming video you watch. It will all pass through Google. Google claims they are not going to share that information except in aggregate - meaning statistical groupings, ie males between the ages of 18 and 25 are more likely to go to gamespot.com than females between the ages of 40 and 50. Given the ad earning potential of such information, I'm not surprised Google is getting into the DNS business. With a world wide presence Google would be instant king of the information world. Well, Google is already king so I guess the next step up would be promotion to emperor.

I know that Googles stated reason to run DNS servers is to improve everyones internet experience, but does that really hold water? If you select the Google as your DNS provider you have to go through your ISP's servers before you can reach Googles, plus however many hops there are between you ISP and Google servers. Plus your speed getting to Google servers will be affected by the condition, settings and traffic on all of the servers between you and Google. I doubt you'll see much improvement over your ISP's servers. Of course, since the differences will be measured in a few milliseconds, even if Googles DNS is faster, I doubt you'll be able to tell. Is that worth turning every single bit of data your web surfing generates over to Google? I don't think so.

Friday, December 11, 2009

The Transportation (in)Security Administration

The Transportation Security Administration (TSA) is the agency in charge of airport security nationwide. It seems that they posted their procedure manual online by accident. The document was redacted, but despite the many previous incidents involving supposedly redacted* documents, the manual was poorly redacted - the redactor just drew boxes over the sensitive data instead of selecting and deleting it. It was only a matter of hours before the un-redacted document was available online.

According to the TSA the information in that was posted is old and the manual was never even made available to TSA staff. But there was a lot of sensitive information in that document. From the easily duplicated ID cards for various agencies (Including CIA) to information on the x-ray machines that could be used to find a way to fool them, there is plenty there to put anyone on their guard.

The TSA seems to be poo-pooing the incident. That's understandable, if annoying. You can't reveal any more about how weak your defences are than the bad guys already have. But this is a serious breach of national security. Using this document it is possible that another group of terrorists could come into the US using fake documents that would wisk them through airport security with little or no security checks. It might make it possible for weapons to be smuggled onto planes in carry-on luggage. It may not be the worst threat to national security we've ever seen, but it's not a good one. Fortunately this breach has caught the attention of congressional leaders and others, so whatever error caused the manual to be posted may be found and cleared, and steps put in place to find and prevent similar errors in the future.

*redacted - sensitive information removed prior to release

[edited @ 9:56am because there's no reason for most people to know what 'redacted' means - Bert]

Thursday, December 10, 2009

Taming the Facebook Beast, pt 3

For some reason I thought the changes to Facebooks privacy settings took place last week. Then tonight I logged on and was hit with the notice the privacy settings have changed. The good news is, nothing much is changed as far as what you may have already set, and anything you've done already is still there. And if you want to change anything, it's now all available in one place, a place we've seen before:

[caption id="attachment_230" align="alignnone" width="214" caption="First, go to Settings-Privacy"]First, go to Settings-Privacy[/caption]

Once you click on "Privacy" things look a little different:

[caption id="attachment_274" align="alignnone" width="586" caption="Facebooks new consolidated privacy page"]Facebooks new consolidated privacy page[/caption]

Today we're going to go over the new interface, and finish our Facebook tutorial in the process. That's made possible because now everything is accessed in one spot, and all of the settings are controlled in almost exactly the same way. There's no need to relearn how to do anything we've already gone over, only where it's at. The first group of settings is the Profile Page, which we'll take in two parts because my screen isn't large enough to get the whole page at once :)

[caption id="attachment_281" align="alignnone" width="600" caption="Top portion of the new Profile privacy page"]Top portion of the new Profile privacy page[/caption]

[caption id="attachment_291" align="alignnone" width="600" caption="Bottom portion of the new profile privacy page"]Bottom portion of the new profile privacy page[/caption]

You can see that the controls are more specific, giving you more options for controlling what is viewable by whom. The privacy pull down menus are the same as before. But the "Custom" option is greatly simplified.

[caption id="attachment_284" align="alignnone" width="502" caption="It's easy to setup multiple exclusions"]It's easy to setup multiple exclusions[/caption]

There are two privacy settings that are different from the others on the Profile privacy page. The first is the "Photo Albums" setting. Clicking on "Edit Settings" brings up the album privacy page. Both the album privacy page and the custom privacy settings are the same as before:

[caption id="attachment_300" align="alignnone" width="600" caption="The album privacy settings haven't changed"]The album privacy settings haven't changed[/caption]

The second is the "Allow Friends to post on my wall" setting. It is either on or off. To me this is the setting that most needs to be configurable. Sure, if someone insists on posting annoying things on my wall I can unfriend them, but I want to leave that as a last resort. I want to be the same configurable interface I use to say who can see my birthday.

The next option is the "Contact Information" and it handles things like phone numbers and IM info:

[caption id="attachment_334" align="alignnone" width="600" caption="Control who can see your email address, IM, etc."]Control who can see your email address, IM, etc.[/caption]

The privacy pull down menus work exactly the same as on the Profile privacy page.

After the contact information comes the "Application and Website" privacy section:

[caption id="attachment_309" align="alignnone" width="602" caption="The privacy settings for Applications and Web pages"]The privacy settings for Applications and Web pages[/caption]

The first selection, "What you share" is just an overview of how sharing works in Facebook. The second section, "What your friends can share about you" is a series of checkboxes:

[caption id="attachment_311" align="alignnone" width="627" caption="Uncheck anything you don't want your friends to share about you."]Uncheck anything you don't want your friends to share about you.[/caption]

You can be as wide open or as close mouthed as you want to be, which is a good thing. The next section is blocked applications - the Facebook help says to go to the applications about page, but I haven't found a link to an about on any application I use, so I can't tell you much about blocking apps. It's something I'll be looking into in the next week or so.

Search is the next setting:

[caption id="attachment_317" align="alignnone" width="601" caption="Simple and clear."]Simple and clear.[/caption]

Exactly as it used to be, to keep from being submitted to Google and other search engines, make sure that "Public Search Results" is NOT checked.

Notice the request for a password. I have been gone from my computer for hours with Facebook up and nothing locked. Now after a short time of inactivity you have to give your password to get back into Facebook. That is another good change in the way Facebook does things.

And our last stop on our whirlwind tour of the new Facebook privacy policies is the people blocker:

[caption id="attachment_322" align="alignnone" width="580" caption="Block people by name or email address"]Block people by name or email address[/caption]

Very simple, just enter the name or email of the person you want to block. And that concludes our basic overview of securing yourself on Facebook.

This new strategy of putting more options in the main windows and simplifying the settings custom windows has made the privacy interface cleaner, easier to navigate, and more intuitive. It's a major improvement, and hopefully one that will encourage people to make use of the privacy settings.

Wednesday, December 9, 2009

Taming Facebook: pause for update

I've had an extremely long day (it's 2am) and haven't even looked at Facebook settings. But I do have some additional information to give you regarding photos on facebook.

When you set your privacy settings for tagging photos you can prevent others from tagging you in photos, but you cannot keep them from downloading your photos from your profile, and you can't keep them from posting photos of you. All you can do is keep them from tagging you in the photo. So even if you only let your friends see a photo, nothing prevents them from downloading it and posting it on their own Facebook page. Of course, if you spend much time with them they probably already have plenty of photos you woudn't want the world to see.

I will work on some more Facebook privacy settings for tomorrow and finish either tomorrow or Friday.

Tuesday, December 8, 2009

Taming the Facebook Beast pt 2

In part one we listed 10 things you can control on Facebook:

1. Configurable friend lists
2. Ability to remove yourself from Facebook search
3. Remove yourself from Google
4. Avoid photo/video tags
5. Protect your albums
6. Prevent stories from showing up in your news feeds
7. Control Application published stories.
8. Make contact information private
9. Avoid embarrassing wall posts
10. Keep friendships private

We briefly went over 1-3. Today we're going to look at 4 and 5, and maybe 6 if I'm fast enough.

4. Controlling photo and video tags.
a. Go to Settings-Privacy
[caption id="attachment_230" align="alignnone" width="214" caption="First, go to Settings-Privacy"]First, go to Settings-Privacy[/caption]

b. Go to Profile
Profile

c. There you will see the privacy page. Go to the second group of 3 pull down menus.[caption id="attachment_238" align="alignnone" width="550" caption="Go to the second group of three pull down menus"]Go to the second group of three pull down menus[/caption]

d. On "Photos tagged of you" select "Customize".
[caption id="attachment_240" align="alignnone" width="531" caption="Select \"Customize\""]Select "Customize"[/caption]

e. The Customize box is similar to the one for your Basic and Profile data, but there are a few differences. I've tried illustrate a little of what can be done. Note: If a friend is in two Friend Lists, he will be given the most restrictive access between the two. So if he belongs to "Family" and "Know from Work" he will not be able to see any photo that "Know from Work" isn't allowed to see, even if "Family" is.
[caption id="attachment_244" align="alignnone" width="410" caption="Enter the Friends you want to see tagged images"]Enter the Friends you want to see tagged images[/caption]

5. Protect your albums
a. For some reason this privacy setting is not with the others. That may change soon.
[caption id="attachment_249" align="alignnone" width="497" caption="Follow the numbers for privacy settings"]Follow the numbers for privacy settings[/caption]

b. The options for the next two screen shots are the same as the methods for limiting access to posts and photos, so I'm just going to show them without comment. If anyone has any questions, feel free to ask.
[caption id="attachment_251" align="alignnone" width="477" caption="Access options for photo albums"]Access options for photo albums[/caption]

albumpriv

Tomorrow a few more Facebook privacy settings.

Monday, December 7, 2009

Taming the Facebook Beast pt. 1

Facebook has a number of tools to help you control who has access to the information you put up on your pages. They include:

1. Configurable friend lists
2. Ability to remove yourself from Facebook search
3. Remove yourself from Google
4. Avoid photo/video tags
5. Protect your albums
6. Prevent stories from showing up in your news feeds
7. Control Application published stories.
8. Make contact information private
9. Avoid embarrassing wall posts
10. Keep friendships private

Let's look at these in a little more detail:

1. Configurable friend lists
Friend lists allow you to put your friends into groups according to your own preference. You can group your friends by how you know them (work, church, social group, etc.) and then set what you want each group to see. The steps to limiting what a list see are:


a. Go to the Settings Menu and select "Privacy Settings"
[caption id="attachment_199" align="alignnone" width="214" caption="Go to Settings-Privacy Settings"]Go to Settings-Privacy Settings[/caption]

b. Select "Profile"
[caption id="attachment_213" align="alignnone" width="376" caption="Select Profile"]Select Profile[/caption]

c. Select the pull down menu next to the type of info you want to limit access to, then "Customize"
[caption id="attachment_205" align="alignnone" width="270" caption="Select the data type: Customize"]Select the data type: Customize[/caption]

d. In the Custom dialog set who you want to see your info, and set any friend or list you want to keep from seeing it in the "except these people" field.
[caption id="attachment_208" align="alignnone" width="405" caption="Use the custom dialog to limit access"]Use the custom dialog to limit access[/caption]



2 & 3. Remove yourself from Facebook and Google search.
It's important to note that if you don't tell Facebook you don't want to be listed in Google searches shortly after signing up for Facebook, you will be listed on Google. But once you choose not to be in Google search you will gradually sink down in the listings. Of course, if people search for your name, even being low down the listings may still have you on the first page. To tell Facebook not to release your information to Google:



a. Go to Settings-Privacy Settings again.

b. Select Search
[caption id="attachment_215" align="alignnone" width="376" caption="Select Search"]Select Search[/caption]

c. Choose who you want to be able to find you and what they can see.
Searchoptions

d. If you have "Everyone" selected in the "Search Visibility" field, you will also have the option to allow your profile to appear in Google searches. If you don't want to appear on Google, uncheck the box.
googleoption


That should be enough to swallow for one day. We'll cover 4 & 5 tomorrow - Wednesday if I'm too strapped for time. There will be some type of post Tuesday either way.

Sunday, December 6, 2009

Is privacy dead?

According to CNN, we have reached "The End of Privacy" and Andrea Dimaio of Gartner tells us privacy is "an illusion." This is a sentiment I've seen expressed more and more often the last few years. I think this belief comes from a misunderstanding of what privacy is. Privacy is not being hidden. The best definition I've seen for privacy, what I consider privacy, is from the terms of service of emailmarketingpro.org. According to them, privacy is:

The quality or condition of being free from unsanctioned intrusion. Person should be sure that the personal information provided will not be used in any other purposes then those the user needs.


Whether or not they abide by that definition I couldn't say, but I like it. Bob Blakely of the Burton Group identity blog has a different, but related, take on privacy. In his entry, "Gartner Gets Privacy Dead Wrong" he tells us that privacy does not equal secrecy. As long as you don't tell anyone your information, you don't have a privacy problem. Once you tell information to someone, then you have a privacy problem.

That makes a lot of sense. Privacy doesn't involve keeping things secret, but controlling who accesses them, and how. I like that idea, and it dovetails nicely with the emailmarketingpro definition. One of the problems with social networks is that people surrender too much control over their information. Well it turns out that it doesn't have to be that way, and Facebook is putting more safeguards in place for people to use to give them even more control over who sees their information. The trick is getting users to use the controls.

I can't make people use them, but I can make the information readily available. Over the next few days I'll be looking at some of the ways you can control your information on Facebook. Nothing can protect you completely, but the first step to greater security is controlling how others access your data.

Saturday, December 5, 2009

Just a quick one

I haven't verified this, but in the "privacy taken too far" department: In Germany privacy laws are so strict that German universities cannot reveal who they have given degrees to. Now that's privacy taken to a ridiculous level!

In the "deserves more attention, but I'm short on time department" we have Congress declaring hearings because two wannabe reality show stars manage to sneak into a state dinner - two people who are not unknown in Washington circles, from what I've seen - a week after the event. A month after 13 people are killed and many more injured in the Fort Hood (terrorist) attack they're still putting a hearing off. I don't understand.

Friday, December 4, 2009

NSA: Still listening with Presidential approval

Not much time tonight, but I have to comment on a report from OpEdNews on NSA wiretapping. It seems that Obama is as enthusiastic about the program as George Bush was. Why couldn't their area of agreement have been that he US is the greatest country on earth? This practice kicks the teeth out of the fourth amendemnt:

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.


It really is important that we let our elected representatives know that we will not stand for this. Every freedom we let go, every right we let them take away, is one step closer to letting them take away all our freedoms and all our rights. I can't say it any better than James Madison:

I believe there are more instances of the abridgement of freedom of the people by gradual and silent encroachments by those in power than by violent and sudden usurpations.

Thursday, December 3, 2009

Facebook not necessary for self incrimination

I'd like some input on this one. I honestly can't decide how I feel about this. Somehow I wound up at theweek.com and a headline caught my eye. "Post a vulgar comment, lose your job" it said.

It seems a teacher made an anonymous comment on the local papers website responding to the question, "What's the craziest thing you've ever eaten?" He responded with a word occasionally found before the word cat.

Apparently being the impatient type he couldn't wait to get home and posted his anonymous response from the school. Then when it was deleted he reposted. The editor of the paper either noticed the post was made from the school, and contacted them to report that someone from the school was posting lewd comments. The school was able to determine who made the post and when confronted he resigned or was fired.

This was clearly an overreaction by the paper. When they asked for the craziest thing you've eaten, they had to know someone was going to post that response. When it appeared again they shouldn't have been surprised. Frankly, I think being stupid enough to ask that question warrants some type of disciplinary action.

On the other hand, what kind of idiot posts obscenities from work? Twice. Even anonymously, you risk someone noticing as you post it.

What do you think? Should the editor have contacted the school? Should the guy have been fired?

And remember kiddies, there is no such thing as anonymity online. If they want to bad enough, there is almost always a way to find out who you are.

[Edited for better title]

Tuesday, December 1, 2009

The fallacy of "crime prevention" cameras

In the last few years there has been a lot of reporting about cities and even countries (England) putting a great deal of trust in the idea that cameras in public areas will deter crime. I don't believe the evidence supports that idea. Here in Lubbock data indicated that on intersections with red light cameras, accidents increased, which was the opposite of the desired effect.

In Dallas they have had cameras for a while. It's interesting to take a look at 3 snapshots in time:

March 21, 2008 - Dallas News reports that cameras placed around the Dallas area have reduced crime. Among items reported as also having an effect in some areas are increased police presence and active neighborhood watch. For some reason their effect on crime is barely acknowledged.


April 27, 2009 - the Grit for Breakfast blog looks at the reported improvement in crime statistics and reveals that while crime was down 11% in camera monitored areas, it was down 18.7% in the rest of Dallas. The author wonders whether a decrease in one areas crime is really a decrease if the rest of the city decreases more. He also points out that Dallas recently changed it's crime reporting policy, and the effect of that has not been factored in.

December 1, 2009 - cbs11tv reports that the cameras have been ineffective deterring crime. In one area the cameras were placed in crime actually increased - and none of the crime was caught on camera.

Crime cameras are not tools of a legitimate republic. They are the tools of totalitarian regimes and serve best as a means to monitor law abiding citizens, not criminals. Criminals will figure out where the cameras are and make sure not to expose themselves. Law abiding citizens will become the monitored while criminals go around the not-so-deterrent.

Health, the web, and HIPAA

One of the more exciting (or frightening) developing trends on the web is the push to keep your health records online. The government is encouraging doctors, hospitals and other medical institutions to do this for the ultimate in health records portability. This is made more difficult by HIPAA, which makes those same groups responsible for the security of your health records. The end result is that the government is sending mixed messages, and smart money is on keeping the records offline if you're a medical provider.

Enter two companies not exactly renown for their respect of privacy: Microsoft and Google. Google Health and Microsoft's Healthvault allow you to put your medical records, prescriptions, shot records, etc online and share them with your pharmacy and various healthcare providers. This sounds like a really good idea. It makes your records readily available for new doctors and makes it easy for you to share with a trusted family member or friend. Here is a short examination of both services.

First we'll look at Google Health. From the page you go to on that link:



Take charge of your health information

It's safe, secure and free

* Organize your health information all in one place
* Gather your medical records from doctors, hospitals, and pharmacies
* Share your information securely with a family member, doctors or caregivers

Google stores your information securely and privately, but you always control how it's used. We will never sell your data. You are in control. You choose what you want to share and what you want to keep private. View our privacy policy to learn more.


The privacy policy looks pretty good, but under the "How Google uses your information" section, #3 states:

Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual.


I don't like my data being shared even "in aggregate." It's supposed to just be information like "x number of persons making between 45,000 and 100,000 a year are members." But I'm paranoid, especially about my health data. That is data that can be very damaging in the wrong hands.

The "Sharing your information" section is encouraging. The first thing they do after telling you that you can share information, see a list of who you are sharing it with, and revoke the right of someone on the list to see your information is to warn you that they may still have a copy of it, even if they can't access it to get new information. Now if only people would actually read the policy it would save some headaches later.

One encouraging thing about Google's offering is that it complies with Safe Harbor guidelines. By the nature of their business Google is not the worlds biggest privacy watchdog, but they appear to understand the importance of privacy when it comes to health records.

Now for a look at Microsoft Healthvault:

HealthVault lets you …

* Organize your health information, with everything in one place
* Simplify your life: enter health info once, use it in many ways
* Gain insight with data that helps you make informed decisions


Microsoft Healthvault is HONCode and Truste certified. Health On the Net was founded in 1995 and "promotes and guides the deployment of useful and reliable online health information, and its appropriate and efficient use." You can verify Healthvaults certification here, but right now they are actually undergoing annual review. It comforts me that they are reviewed annually.

The Healthvault privacy policy is longer and wordier than Google Health's but says essentially the same thing. Your data will only be released in aggregate, except for the people you release your own info to.

The question that burned in my brain when I heard about this was, "What about HIPAA? How can this be legal?"

Actually, because neither business is a medical provider, they fall through the cracks of HIPAA. They are providing a service to the consumer and have no affiliations with hospitals or doctors. So they can do things a doctor or hospital would not be able to do when it comes to your data. You might want to think about that before joining either of these services. But despite what looks like a service I would avoid at first glance, I would recommend either of these for someone who has medical conditions that require multiple specialists. My experience is that there usually isn't as much communication between doctors as you would expect. But they have to give you your records if you ask, and putting the records in a service like this means you can make sure every doctor has access to everything going on. These services don't remove control of your information from you, they give you control you've never before had of your healthcare. That is a good thing.

[Edited 7:40am to add to last paragraph]