Wednesday, March 31, 2010

Facebook in denial

Facebook is looking at changing it's privacy policy again. This time the idea is to share your data with a "select few" companies in order to "provide you with useful social experiences off Facebook. I can't think of a third party company I would want to share my Facebook information with. I can't think of one that I would care that they had it, either, but that's not the point. Facebook is making this an opt-out program. If you should opt-out, the companies are required to remove your data from their records, but that's kind of like telling Pandora to put the bad things back in the box.

In an article in Facebook dismisses the idea that the change has anything to do with advertising. I suppose that could be true. They could be getting paid for the personal data that would be given to the third party rather than use the data for advertising.

Either way, I agree with this Facebook user:

"My privacy is paramount to me and UNLESS I say so explicitly you have no right to provide my data to whoever you think is authorized," wrote Facebook user Harish Menon. "I don't care if it's your mom and you think she's trustworthy; I don't want my data to be given out to anyone unless I say so."

Tuesday, March 30, 2010

Apple sprays for worms

In my inbox today I had an email from Apple detailing over 80 vulnerabilities plugged in their latest OS update - OSX 10.6.3. Included in the details are the people who reported the various vulnerabilities. It fixes everything from a bug that allows a Mac to be hijacked when a user performs a spell check to the Apache web server built into OS X. This is a large update, and it really covers a lot of stuff. If you want to learn more, you can check out Apple's page on it.

Apple also released a security update for Leopard (10.5).

If you have a Mac running OS X Leopard (10.5) or Snow Leopard (10.6) you can get the updates through Software Update (either automatically or under the Apple menu) or the Apple download page.

Monday, March 29, 2010

Facebook causes syphillis

No, really, it does. According to the Telegraph, "Facebook 'Linked to Syphillis.'"

Reading the article, it turns out that "linked to" is a little stronger than what the Professor Peter Kelly, the researcher who saw a connection said. He saw that a couple of areas of Britain that have increased incidence of syphillis also have high Facebook usage. Professor Kelly observed that "Social networking sites are making it easier for people to meet up for casual sex."  Apparently the data he used included where people were hooking up, and a lot of them were through Facebook. Not a smoking gun, more like circumstantial evidence.

Facebook is, of course coming out swinging about the assertion. A spokesman said, among other things, that "Facebook is no more responsible for STD transmission than newspapers responsible for bad vision." Not a perfect analogy, but close enough, I suppose.

I don't know that Facebook is actually making it any easier for people to have casual sex. I do suspect that attitudes and fears about sex have probably changed somewhat in the last 20 years, and that might have something to do with it.

Of course, "Some people on Facebook meet each other for unprotected sex and get STD's" just isn't as snappy a headline.

Friday, March 26, 2010

Full body scans can't be abused. Right.

Michael Holden reports in Reuters "Oddly Enough" news that a security worker at London's Heathrow airport is in hot water for looking at a coworker who "mistakenly strayed into the scanner."

The 25 year old man is not in deep trouble yet because the incident is still being investigated, but if the investigators conclude he actually did see things he shouldn't have it will put a whole new spin on full body scans. Citizens around the world have been assured repeatedly that security workers wouldn't be able to see their "naughty bits" on the scans. If the investigation proves they can, there could be a massive public outcry.

Of course, the investigation is being carried out by government employees, and the government has a vested interest in finding that nothing actually happened.

Thursday, March 25, 2010

Is answering the census safe?

NOTE: Checking Census law reveals that it is illegal to refuse to answer the census questions.

In an opinion piece on James Bovard examines the possibility that our census answers may not be as private as we're promised they'll be. He looks at the historical record the census bureau has built regarding privacy of census data. It doesn't look too good. The first mar on the bureaus record was the production of a list of Japanese Americans on the East coast within days of Pearl Harbor. Although they are now remembered (when mentioned at all) as "internment camps," or "War Relocation Camps," Japanese Americans were rounded up and put into concentration camps. The Census Bureau denied any such activity until 2000, and denied giving specific names and addresses until it was proved in 2007 that exactly that information had been provided.

The Department of Homeland Security was given similar information by the Census Bureau in 2003-2004 regarding people of Middle Eastern ancestry in the U.S. No roundups occurred, but they would have been much easier with that information.

Mr. Bovard talks about the abuses to citizen privacy in the last 10 years, and points out that all the census is really required to gather by the constitution is a count of citizens, and the number of people living at each address is all that anyone should provide. Especially since the government obviously is more concerned with gathering as much information as it can about citizens than protecting their rights. It was true of the Bush administration, and by all the evidence nothing has changed with the Obama administration. I have no doubt that census data will be used in whatever fashion the government feels the need to use it, no matter what the law says.

Wednesday, March 24, 2010

Hotels highly hackable

The ID Security Solutions blog reports that Data Breaches are Heaviest at Hotels. According to the post, both Trustwave's Spiderlabs and Verizon Business found that in 2009 Hotels were the had more data breaches than any other industry. That's not very encouraging when you realize that there's not a lot we can do as consumers to protect our data once we've turned it over to the hotel.

To make it worse, the weakest link appears to be the point of sale software. The software is often administered by third parties who log in to systems remotely. If they don't change default passwords, use weak password, or leave passwords blank, then it's easy pickings for data thieves. But I'm not sure I believe that most of the breaches are caused by poor password practices. The Heartland breach that occurred from late 2008 to early 2009 took place after they had passed security audits. Whether the audits were for Sarbanes-Oxley or PCI-DSS compliance, having blank or default passwords would not have passed.

As we move to more and more plastic based economy our financial data becomes more dependent on the security of the businesses we deal with. That is something we have little control over. I'm not sure what the best answer is, but we need to find one.

Tuesday, March 23, 2010

OS X: Safer but less secure than Windows

Darren Murph at Endgadget reports that Charlie Miller is going to expose 20 zero day exploits for OS X at the upcoming CanSecWest. Mr. Miller has been exposing holes in OS X for years, and has twice won the PWN 2 OWN hacker contest by taking control of Apple computers. A third time he took control of an iPhone.

A zero day exploit is a piece of malware that takes advantage of a vulnerability that is not generally known, so there are no patches, updates, or workarounds to keep it from being used. Unless the person who discovers the zero day exploit informs the creators of the software being exploited the vulnerability probably won't patched until after someone writes some type of malware that takes advantage of the exploit.

If you, like me, are a big fan of Apple Macs, you know that Apple likes to tout the security of OS X and the Mac. If you are an honest Mac user you realize that OS X has vulnerabilities. Some have even been exploited, if not very successfully.

Charlie Miller is very good at what he does - find security holes so they can be patched before the bad guys can take advantage of them. His years of work in computer security have given him a good perspective on the state of Mac security vs Windows security, and that insight produced one of my favorite quotes on the subject:

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

In other words, Macs are safer, because there aren't that many people trying to break into them. Windows computers are more secure because the security holes are constantly being patched. As much as I wish it weren't so, the analogy works.

OS X: Safer but less secure than Windows for now

Darren Murph at Endgadget reports that Charlie Miller is going to expose 20 zero day exploits for OS X at the upcoming CanSecWest. Mr. Miller has been exposing holes in OS X for years, and has twice won the PWN 2 OWN hacker contest by taking control of Apple computers. A third time he took control of an iPhone.

A zero day exploit is a piece of malware that takes advantage of a vulnerability that is not generally known, so there are no patches, updates, or workarounds to keep it from being used. Unless the person who discovers the zero day exploit informs the creators of the software being exploited the vulnerability probably won’t patched until after someone writes some type of malware that takes advantage of the exploit.

If you, like me, are a big fan of Apple Macs, you know that Apple likes to tout the security of OS X and the Mac. If you are an honest Mac user you realize that OS X has vulnerabilities. Some have even been exploited, if not very successfully.

Charlie Miller is very good at what he does – find security holes so they can be patched before the bad guys can take advantage of them. His years of work in computer security have given him a good perspective on the state of Mac security vs Windows security, and that insight produced one of my favorite quotes on the subject:

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”

In other words, Macs are safer, because there aren’t that many people trying to break into them. Windows computers are more secure because the security holes are constantly being patched. As much as I wish it weren’t so, the analogy works. Hopefully Apple is working to change that.

Monday, March 22, 2010

Facebook cloning plus Nestle: Facebook fanbango

Facebook Cloning

In a report on out of Houston Mayra Moreno reports on Facebook cloning. She introduces us to Edna Canales, who has had her social networking profile cloned twice: once on Myspace and once on Facebook. Apparently both times the cloner harvested pictures of her from the pages of Edna's friends and put up a page claiming to be her. The last time on Facebook, she discovered the clone when she got notices that her friends had friended another Edna Canales.

Both incidents were reported to the police, but you can't do much to someone who's cloned your Facebook page unless you can prove slander or harm done. Ms. Canales was fortunate. Someone, for some unknown reason cloned her page, but apparently only wanted to be her online for a while. It could have been much worse. The could have posted anything, and if people believed it was her, it would have impacted her reputation, her employability, possibly her continued employment. It's important to keep an eye on what's going on with your name online. For most people it will never be a problem. For others, constant vigilance can catch bad things before they blow up. Speaking of blow-ups, next up is

Nestle, the unFanpage

Caroline McCarthy on CNET tells us about Nestle's Facebook Fiasco. It seems that Greenpeace, who has had a longtime fight with Nestle over environmental practices, ie the use of palm oil in Nestle products, encourages supporters to use altered Nestle logos for their Facebook pages. When Greenpeace discovered Nestle's Fanpage on Facebook, they encouraged people to tell Nestle exactly what they thought about using palm oil.

Nestle had created a Fan page. They were not ready for the reaction they got. Apparently in "OMG, how do I control this!" panic mode, the pages manager started deleting posts from the page if they had adulterated Nestle logos. In response to protests, they made the technically correct, but PR nightmare "we are protecting our trademark" statement. That made matters worse, and eventually Nestle apologized and quit deleting posts. Will Nestle see the negative feedback on it's fanpage as an important sign and removes palm oil from its recipes? Only time will tell, but given the current state of the Nestle wall, they may want to consider it.

Friday, March 19, 2010

Facebook the new "stakeout" locale

The Electronic Frontier Foundation has received information on how the FBI works undercover on Facebook. While not actually saying it happens, the document they received through a freedom of information act definitely implies that agents create fake profiles to friend suspects and their friends. No one is sure how such info gathered with fake profiles - something forbidden by the terms of service of most social media - will hold up as evidence. points out that there is a significant difference between under cover in the real world and in the virtual. In the real world it is not possible to pretend to be someones mother, wife, etc.  Using bogus information, it is possible on Facebook. That is a real problem.

How many Facebook friends do you have? How many do of them do you really know? Do you have an FBI agent in your group of friends? Would you know if you did? Watching what you say and do  - and who with - on social networks has long been important. Now it's really is a necessity.

Thursday, March 18, 2010

Beware the new Facebook scam

There's a new Facebook scam out. On CNET's Insecurity Complex blog Elinor Mills reports on the newest Facebook Scam. First reported by McAfee on its Security Insights blog, the scam is an email claiming to be from Facebook, and that your password has been reset. All you have to do to get your new password is click on the attachment.


Obviously you don't want to click on the attachment or I wouldn't be bothering to post about it. Clicking on the attachment installs a "password stealer" as McAfee calls it. I don't know if it's a keylogger or something else, but it isn't limited to stealing Facebook passwords. And according to McAfee it's the 6th most common piece of malware targeting consumers. You can see an example of the scam email on the McAfee site.

Remember, clicking on unknown links and attachments in email is inviting disaster.

Wednesday, March 17, 2010

PlainsCapital vs Hillary: Symptom of a larger problem

Tom Field of the Field Report blog wrote an entry titled, "Trust on Trial" after returning from the RSA security conference. According to him there were three words on everyones mind: cloud, computing, and trust.

Trust was the surprise word. It seems a lot of business people are questioning the safety of using a bank at all, let alone banking online. Two cases are specifially mentioned in his post:

Experi-Metal, Inc. vs Comerica Bank and PlainsCapital vs Hillary Machinery.

These two aren't picked because of their unusual nature (although PlainsCapital vs Hillary is unusual), but because they are the latest in an ongoing trend: business customers account is pilfered, bank claims no responsibility. Normally the customer sues the bank, but in the case of PlainsCapital, the bank preemptively sued the customer, asking a court to declare it's security practices "reasonable".

What is reasonable security for a bank? Nobody really knows, since no clearcut definition has ever been coined. That doesn't mean there aren't standards and minimum requirements, it just means that there isn't an official definition of "reasonable."

If you think about it, there is actually a very good reason why that particular term isn't defined. And many security experts fervently hope it remains that way. Internet security changes quickly. What is reasonable today may be totally hopeless tomorrow. Defining reasonable security will give banks a hardcoded standard to comply with - a standard that will quickly become unreasonable. What needs to be done is not define "reasonable security," but to require financial institutions to keep abreast of the latest security risks and adapt their protections accordingly. Hopefully the judge in PlainsCapital vs Hillary will recognize the danger of giving banks a definition to hide behind and will refuse to define exactly what reasonable means when it comes to banking security.

So outside of lawsuits, what can be done to solve this problem of banks being robbed and refusing to accept any culpability? First of all, business accounts should be given the same protections that personal accounts enjoy.  Second, the regional and smaller banks that seem to be the main offenders in the lack of adequate security category should honestly examine their security measures in light of what is currently out there in the way of bad guys and take steps to protect against them. Banks that are involved in lawsuits need to review their security and see if they should just settle to save time.

The business customers aren't totally innocent either, although the cases I've seen appear to implicate the banks more. If a customer who does 1 or 2 electronic transfers a month suddenly has 10 a day it should ring alarm bells and stop the transfers. This failure to stop unusual transfers is a common complaint by business customers who have had money stolen by electronic transfers. The business may have to accept some blame, however. Are their virus definitions up to date? Has someone been going to questionable websites? Are their security policies clear and well thought out?

If things keep going the way they are now, before long no business will trust their banks. That will make for some serious headaches, since it's almost impossible to do business without a bank account these days.

Tuesday, March 16, 2010

Obama supports DNA sampling when arrested

Politico's Josh Gerstein tells us that, "President Obama backs DNA test in arrests." In an interview with John Walsh on America's most wanted the President professed his strong support of gathering DNA of everyone arrested for a felony crime:
"It's the right thing to do, and then, as you well know, John, this is where the national registry becomes so important, making sure that, not only are we getting these DNA tests done state by state, but then, nationally, everybody's talking to each other. That's how we make sure that we continue to tighten the grip around folks who have perpetrated these crimes."

It's a great sentiment. The problem is, that when it comes to DNA testing upon arrest, it's wrong. In the interview John Walsh says that it's no different that taking fingerprints or an arrest photo. But that is not true.

DNA samples, unlike fingerprints, don't just identify you. They have the potential to reveal health issues, genetic relationships (siblings, parents), and possibly potential behaviors. You may give up the right to protect this information if you are convicted, but to take it upon arrest flies in the face of "guilty until proven innocent." Requiring DNA sample of people who have been arrested, but not indicted, let alone convicted, says the exact opposite. It assumes you are guilty until the DNA sample proves you innocent. That is not the way justice is served in the U.S.

See the portion of the interview that talks about DNA (about halfway through on Youtube.

See the entire interview on

Monday, March 15, 2010

Supreme Court to review "Informational Privacy"

Last week David Kravets of the Threatlevel blog on reported that the Supreme Court is going to review a decision by the 9th Circuit. The 9th Circuit says  the government does have limits on the information they can seek on potential employees. The case arose because a bunch of NASA contractors objected to background checks that included queries into their sex lives, finances, and drug use.

I do believe it's important to protect our national secrets, and NASA is certain to have a few. But I believe the 9th Circuit had this one right, and I hope the Justices feel the same. Now, I don't have a problem with drug tests. Most jobs should be done by someone who's not stoned. And it's pretty normal to check sexual habits and finances of persons getting security clearances, although the reasons for that probably need to be revisited.

These contractors were not getting security clearances. Their jobs didn't require them. The intense and extensive checks were initiated in 2004 by the Bush administration. The Obama administration asked the Supreme Court to review the case because the checks are done on all federal employees, and the administration wants the checks to continue. But those checks seem a bit a bit excessive. Whether they are gay, straight, have a excessive debt, or is obsessed with collecting every beanie baby ever made has nothing to do with their ability to do a job. Men with security clearances need to be as squeaky clean as possible so there are as few handles for bad guys to use. Persons with no access to secret information don't need to be as squeaky clean. And just because a person works for the government does not mean the government needs to know everything about him.

Friday, March 12, 2010

Betty White, Megatron get boost from Facebook

You have to love the power of the mob. And the mob has spoken. They want Betty White to host Saturday Night Live, and Saturday Night Live has listened. According to E! Online she will be hosting the Mothers Day episode on May 8th along with 6 female SNL alumns. It's a well deserved honor that only took 35 years, a superbowl commercial and roughly 500,000 fans on Facebook to achieve.

On a sillier note, Michael Affinito's Facebook page, "MY SISTER SAID IF I GET ONE MILLION FANS SHE WILL NAME HER BABY MEGATRON" speaks for itself. No one knows for sure if it's real, and since the baby isn't due until August most of us will forget about it long before the baby is named. But if it is real, and she's true to her word, the baby will be named Megatron. Micheal already has well over the required 1 million fans, so in 5 months we may be seeing headlines like, "Mother gives birth to Transformer."

Thursday, March 11, 2010

Ford: First Online Road Devices

Or maybe First Online Road Death? That last is a little unlikely, but in the realm of possibility. Ford is bringing a new meaning to "mobile device," and adding to the list of web-enabled devices. With Microsoft, Ford developed Sync and started putting it in some Ford vehicles in 2008. Sync allows you to connect bluetooth phones or USB devices like MP3 players to your car and control them with voice commands. It's a really neat bit of technology, but Ford wasn't satisfied to rest on their laurels.

Kevin Spiess report on, "Ford to use Windows CE in some 2011 models." With the functionality of a full OS, Sync will become more powerful, offer more control options, and will provide wifi connectivity for web browsing when parked. As delivered from the factory the web browsing will only work when the vehicle is in park, but I figure about 2 weeks (or less) after the first wifi enabled Ford is delivered there will be a way to activate browsing while driving.

But as surprising and innovative as wifi enabling a car may be, what is more impressive is that Ford is thinking about security long before implementing wifi in the cars - both to protect users data and to protect the system from malware that might endanger the car and it's occupants. That's important since connectivity will include social networks and other high risk locales.

The security features are pretty decent. A hardware firewall between the engine computer and the entertainment computer is one nice thing. They can't totally separate the two because they need to share things like GPS data and highway speed, to name a couple of things. To help protect from malware Sync will only accept software from Ford, and it won't allow installation through the wifi connection. There are other features to keep your data safe in your car.

And the security doesn't just cover electronic assets. There are features that will make Ford vehicles with Sync unattractive to thieves, too. Engine immobilizer keeps the engine from turning over unless a coded key is used, and a keycode allows the car to be opened even if the keyfob is left in the car.

Ford is taking a lead position in bringing the automobile to the internet, and vice-versa. It will be interesting to see where this trend goes over the next few years.

Wednesday, March 10, 2010

United States national worker ID card

From Laura Meckler at the Wall Street Journal:
"Lawmakers working to craft a new comprehensive immigration bill have settled on a way to prevent employers from hiring illegal immigrants: a national biometric identification card all American workers would eventually be required to obtain."

Really neat idea, except that it won't work. It won't even be an improvement on the current method. People paying illegals cash under the table will continue to do so. This ID card won't do anything to change that. It will give the government increasing ability to monitor law-abiding citizens without doing anything to affect the problem it's supposed to solve.

While this should be self evident, Senator Chuck Schumer (D., N.Y.) obviously thinks that biometrics are magically going to force all employers to check employees eligibility and pay by traceable means that make it necessary for all employees to be legal. He actually believes that requiring a biometric card is more effective than requiring a Social Security Card. Talking about illegal immigration he says,  "If you say they can't get a job when they come here, you'll stop it."  The only problem is, we say that now, and it's patently a lie.

Of course, not everyone thinks a national employee ID is a bad thing. The Christian Science Monitor is very much a believer in a national employee ID. In an editorial entitled "Immigration reform rests on a national worker ID" the CSM editorial board states:
"Obama could quickly reduce the nation’s high jobless rate with passage of a law requiring legal residents and Americans, even teenagers, to obtain a federal ID as legal workers. Migrants working outside the law would then be forced to come clean on their illegal activity, leave the country, and perhaps properly apply for a US visa – as millions of law-abiding people do around the world who wait years to enter the US.

To reach full employment, Obama needs to create about 8 million jobs – or nearly the number of illegal immigrants in the US."

I have two problems with that quote. The first regards illegal workers having to come clean. Why? What is this ID going to do that will force illegal workers (or their employers) to suddenly 'fess up? Even assuming most illegals bother with forged or stolen Social Security numbers, what's to keep employers from paying in cash and misreporting their number of employees anyway? Admittedly, if you're paying more than two or three employee’s cash can be problematic.

The other is the figure of 8 million illegals. That may be the suspected or deduced number, but it is impossible to prove. Even if it's correct, to say that all 8 million are working is a stretch.

On, Alex Nowrasteh's article, "5 Reasons Why America Should Steer Clear of a National ID Card" gives a very clear, thought out explanation of the problems inherent in a national ID card. Briefly, they are:
1. Workers would have to ask the Federal Government before getting a job.

2. National ID's are perfect for controlling citizens movements: "Your papers, please."

3. The system will accidentally exclude millions of legal workers and fail to catch the majority of illegal ones.

4. The scanners are up to $800 - or employers can make a trip down to the local DMV to check their workers ID.

5. Law abiding citizens are treated like criminals - we will have to divulge information that the government cannot require of us now because we are not criminals. (That's the biometric data, in case you're wondering).

There is one way the national employee ID card would work. It would require a fundamental change in the way we live, not to mention being a harbinger of the end times. If we move to an entirely electronic economy we get rid of all but an insignificant amount of illegal alien employees. If we go to an entirely electronic economy and make your biometric employee ID your bankcard, too, then the only way to buy anything is with your employee ID card. It can be tied to your credit cards, debit cards, and all of your accounts. Utilities, insurance, gym memberships, all pulled from your national employee ID card. It would solve so many problems. It would be much harder for illegal aliens to find employment, it would encourage employers to hire U.S. citizens or legal aliens, and it would give the government what it wants - a way to track all citizens at all times. All you have to do is surrender your privacy and freedom.

Tuesday, March 9, 2010

Maryland students teach teachers

The Washington Post reports that a group of students at Potomac high school stole teachers passwords and were changing their grades for several months  before they were caught.

They used keylogging software to capture the passwords, then logged on to the teachers computers and change grades. Because of the computer system and the way it was accessed there is no way to discover who changed the grades. Instead of punishing all the students whose grades were changed (some may have been red herrings), the school is just changing them back to the original grades.

The tools the students used to log passwords is easily and  cheaply available online. To prevent this kind of problem students need to be locked out of adding software and of mounting or running .exe files from USB drives - in fact, flash drives, or any USB drive shouldn't mount from teacher or student accounts. If schools don't take these kinds of steps we eventually won't be able to trust our schools to truly teach our kids the things they need to grow - up, or to trust anything they tell us about how well the students are doing their learning.

Monday, March 8, 2010

Privacy vs Security at RSA conference

Brian Prince of eWeek Europe reports that U.S. Cyber Defense experts agreed on two things: U.S. cyber security needs beefing up, and doing that while protecting privacy won't be easy. Former head of U.S. Homeland Security Michael Chertoff saw the situation as a balancing act:
“You don’t want necessarily to have the government literally sitting there and operating the internet and opening and closing doors because it’s not hard to imagine a situation like you have in other countries where someone makes a decision that the threat isn’t just an attack by a botnet but an attack on ideas the government doesn’t like. So the key is to build a system that allows a sharing of information that does put on critical infrastructure a responsibility to maintain itself…but preserves a certain gate between them and a certain amount of accountability so that the government can’t simply just roughshod over the privacy.”

That's an important statement - and one that very neatly sums up the difficulty of providing security while maintaining privacy. The rest of the panel discussion showed a real concern and understanding of the importance - and complexity - of maintaining privacy while ensuring security.

Chertoff was one of a three member panel. The other two members were Marc Rotenberg, executive director of the Electronic Privacy Information Center ( EPIC ), and former special advisor on Cyber Security for George W. Bush, Richard Clarke. Richard Clarke is now chairman of Good Harbor Consulting. To be honest, I was a little surprised at the attitude shown by Mr. Chertoff and Mr. Clark. Hearing Mr. Chertoff, co-author of the Patriot Act, talk about the importance of limiting governments ability to invade citizens online privacy was unexptected.

Of course, not everything they said was so pretty. Clark wants a system that is flexible enough that it isn't compromised when some companies don't keep up with the latest patches and malware protections. His idea? Have Tier 1 ISP's do deep packet inspection to detect illicit activity. This is just a liiiiiittle bit contradictory to Mr. Chertoffs statement above. Deep packet inspection would mean they see everything everybody does that goes through a Tier 1 ISP. A lot of traffic will never hit a Tier 1 ISP, but the fact that US citizens would be being treated as criminals with no evidence that they are would be a major constitutional problem. Of course, it should be a major constitutional problem with the nationwide phone tapping that's still going on, and we know how that went. Not surprising at all that Rotenberg saw a slippery slope, "If we go down this road you really have to be very careful because one rationale easily collapses into another."

It was encouraging that Clarke felt the U.S. government had discredited itself over the past ten years where privacy is concerned. He also felt that the agency best equipped to protect the country, both military and civilian, is the NSA. But in an amazing twist, he feels that the NSA is not the agency that should be protecting the private sector. The problem is, there isn't anyone looking out for the private sector:
“The problem is right now no one is defending the private sector,” he continued. “The theory of the Obama administration seems to be cyber-command defends the military, DHS (Department of Homeland Security) – which can’t do it yet – defends the .gov community, and the rest of us are on our own.”

As scary as that is, it's better than being watched by the NSA. And I'm happy that all three panel members seem to agree with that sentiment.


Friday, March 5, 2010

Facebook, Twitter used to scam brides-to-be, vendors

This is an interesting tale. Setup a Facebook page, garner followers (real or not), get a Twitter account, and rake in the dough. These internet entrepreneurs created a facebook account and tweeted about a nonexistent bridal show, and sold upwards of 5000 tickets, plus getting booth fees from hopeful vendors and a free radiospot in exchange for a reduced booth rental. Not a bad scam. I first read of the scam on Ars Technica in an article by Jacqui Cheng.

It seems that almost $150,000 was scammed from attendees and vendors with this scam. The Facebook page is down, and the twitter account probably is, too. The bad thing is, short of calling the convention center to see if the event is really scheduled, I don't know how you could see through this scam. Maybe the fact that payment was taken through paypal? That's not really an indicator. I'm sure we'll see more about this, and more examples of similar scams in the future.

Thursday, March 4, 2010

TMI - some info shouldn't be realtime

February 2009 - "Just landed in Baghdad" tweeted Peter Hoekstra while on a 'secret' trip to Iraq. The media was aware of the trip, but agreed to embargo the information until after they arrived back in the U.S. for the safety of the congressmen. Since the congressman started tweeting before they left, the newspapers needn't have bothered.

March 3, 2010 - "On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home," the soldier wrote on his Facebook page, refering to a West Bank village near Ramallah. That's from a story on regarding a Facebook security breach. The mission the young man (he may not be a soldier, now) mentioned has been scrapped. According to Robert Mackey on the The Lede such details as the units name and the time of the raid were also revealed.

In the first case, Senator Hoekstra was former head, and senior member of the House intelligence committee. You would think a man with that kind of background would have more sense than to tweet details of his Baghdad itinerary. In the second, you would think a young soldier would be aware that posting details of an upcoming mission on Facebook would be a severe security breach - and could even be considered treason. But I wonder. How many of us actually realize how available things we put on Facebook and twitter really are? Do we really understand that what we put on Twitter and Facebook can be seen by just about anyone? With all the foolish things being put up on Facebook and Twitter, the real surprise isn't that two people posted national security breaking info on social networking sites, it's that we don't see a lot more of this happening.

I'm sure that most of my readers aren't in a position to spill national secrets, but spilling your own secrets can be bad enough. Think before you post on any site, and avoid the embarrassment of foot in mouth.

Tuesday, March 2, 2010

High school predator stalks Facebook

In Wisconsin a darker side of Facebook was revealed last December when Anthony Stanci plead no contest to two felonies. It must have been a plea bargain, because the 19 year old had blackmailed at least seven of his fellow students for sex. Between 2007 and 2008 he had a Facebook page that he used to trick male classmates into sending him nude pictures of themselves. He pretended to be a girl, and after classmates exchanged pictures with him (it's not hard to find nude pictures of girls on the internet), he threatened to post the boys pictures online unless they had sex with him.

Stanci might still be blackmailing teens for sex, if he hadn't been greedy. One of his victims had been unwilling to speak up to protect himself, but when Stanci wanted pictures of the young mans brother that was too much. He went to his parents, and the police were called.

Last week Stanci was sentenced to 15 years in prison. According to his lawyer, that is a fair sentence, and will give him time to rebuild his life after he gets out. That's really great, but I wonder who is making sure the youngsters who were victimized by Stanci get their lives rebuilt?

It's important we make sure our children know that they cannot assume that they know someone online. And that we remember it ourselves. Otherwise we make it too easy for predators to prey on us.

Monday, March 1, 2010

Ensured privacy: Data with a lifespan

In a video report entitled, "The Future of Data Encryption" ZDNET's Sumi Das tells us about a budding technology that will, it is hoped, make sure that any online data you don't want coming back to bite you in the buttocks will die a graceful death. A team of researchers at the University of Washington: Seattle is developing an encryption scheme that will make sure data will eventually become inaccessible. Called Vanish, it encrypts selected data and sends portions of the key to different computers on peer to peer networks. As computers drop off the network, the data becomes inaccessible.

It's an interesting concept. I see a few problems, and it will be interesting to see how they overcome them. First, what's to keep someone from copying the data? A copy made using copy and paste wouldn't be encrypted, so wouldn't be affected by the Vanish software. There are also screenshots. Of course, it is possible to block copying and screenshots, but I have to wonder if doing that wouldn't actually make people less likely to use the software. One thing we like to have is control of the data we received on our computers.

Another problem is getting people to use it. PGP has been around for almost 20 years, and it's open source cousin, GPG, has been around for a little over 10, but neither has been embraced by the general web using public. The twin problems of setting yourself up and getting your friends and colleagues to use it and setting them up is more than most people want to deal with.

Of course, a simple way to get it to work would be to get a major OS or email client to integrate Vanish and have millions of instant users. Microsoft is the logical choice, but Apple would do for a start.