Wednesday, May 19, 2010

Hacking pacemakers

It was reported by the New York Times in March that a wireless security flaw had been discovered in a defibrilator-pacemaker. The researchers who disovered it used a device in a laboratory, not one implanted in a real person. They were able to deliver potentially fatal shocks and even received patient data from the unit over the wireless transmitter.

There's not really any risk of your pacemaker getting hacked at this point. But it is a growing concern among security experts who try to see where the risk is 2, 5, 10 or more years from now. It's a very low risk concern right now, that could change.

As computers become more intertwined in our day to day lives, even into our bodies in the form of things like pacemakers and insulin pumps, and even prosthetic limbs the possibility of malware being written for them increases. If anyone can find a way to make money doing it.

In April's Lauren Cox took a deeper look at the possibility of taking over implantable medical devices. She brings up one very interesting point - a point that's also a little frightening:

"What's more, people with ICDs often are public about them. Former Vice President Dick Cheney is one example of a high-profile American with a device."

It's way to early to say there ever will be assassins using implanted devices to kill. But can we afford to wait for it to happen before we take steps to protect against it?

Tuesday, May 18, 2010

Federal high tech security boondoggles

In an article by Ken Dilanian, - the Washingtom Bureau of the Chicago Tribune - reports that a number of high tech security programs initiated by the Bush administration have flopped. The biggest reason for the failure? Failure to properly test the technologies before implementation. A weakness shared by the current technical bandaid, full body scanners.

Technology is an important tool in the war against terror. But according to Brian Jenkins of the Rand Corp the Department of Homeland Security is overly reliant on technology. There is no silver bullet, but new technologies are treated as the final solutions to our national security problems.

From the "virtual fence" aka Project 28, on our southern border to the Real ID Act that Homeland Security Secretary Janet Napolitano has called for Congress to repeal, U.S. high tech anti-terrorism initiatives aren't working as advertised.

In fact, recently the majority, if not all, of the terrorist that have been caught before attempting terrorist acts have, to the best of our knowledge, not been caught through new, high tech gadgetry but through old fashioned investigation and surviellance techniques. Techniques that employ technology, but as a tool, rather than as the lynchpin of the procedure. Maybe it's time we started focusing on the things we know work, and take the time to do proper testing of new technologies before entrusting the lives of our citizens and the security of our nation to them.

Monday, May 17, 2010

Google accidentally spys on open WiFi

Ben Rooney of reports that the Google has admitted that it's Streetview cars have been collecting data from open WiFi hotspots. Google first admitted to collecting the publicly broadcast information of open hotspots, things like the network names and router numbers, on April 27th. But after being asked for more information, Google says that they discovered more data was being collected - private data in the packets being transmitted across the network. Supposedly the code that gathered data packets was accidentally entered into software used to gather public information on WiFi.

The software changes channels five times a second, so only bits and pieces of data would be gathered. Encrypted data, like the communications between you and your bank account, cannot be read, so it won't have been compromised by Google's illicit scans.

Google is, of course saying that it was an accident. In response they have stopped all scanning of open WiFi by their streetview cars until they can repair and replace the faulty software. They have arranged for a third party to review the software and the data collected from public WiFi networks.

This is a major blunder by Google. Whether it was a case of pushing the envelope to see what the reaction would be or an honest mistake, it's going to hurt Google's reputation. This one I tend to believe was an accident. In many nations it is illegal to tamper with electronic communications. Google may want to gather and use information, but breaking the law to do it isn't good business.

Friday, May 14, 2010

Bye-Bye Farmville, hello, StreetFighter? (plus new security)

Facebook is offering new security features to make it harder for cybercrooks to hijack your account. Registered devices, login notifications and other features make your account more secure. That is a good thing, but until Facebook makes it easier to keep your data private it doesn't mean a whole lot. And I use very strong passwords, so the information that gets shared from my account is a much bigger concern than someone hacking into it.

The Zynga/Facebook marriage may soon be over. Apparently Facebooks new policies may actually be costing Zynga users, and Facebook supposedly tried strongarm tactics to force the Farmville creator to remain exclusive to Facebook in their last negotiations. Instead, there is talk of a Zynga live network - and a complete pullout from Facebook.

In a perhaps related story (or perhaps not) Capcom has announced they are preparing their first Facebook game.

“Gaming on social networks is poised to impact the traditional video game industry and is a presence that cannot be ignored,” Capcom President Haruhiro Tsujimoto said in an interview in Tokyo yesterday. “We have to make our move.”

Facebook as a game platform is growing, with more of the heavy hitters in gaming working Facebook into new releases in one way or another. In addition to Capcom, Electronic Arts and Blizzard have announced upcoming Facebook gaming presence. Facebook is working to become the internet, but they may become the gameworld without even trying.

Thursday, May 13, 2010

Does Arizona have the right idea?

I have to wonder if Arizona’s Jan Brewer doesn’t realize what she’s doing, or if she really believes so strongly in the importance of these racially charged bills that she is willing to sacrifice her political career. Just a few short weeks after passing the controversial immigration law, the Associated Press reports that, “Arizona gov. signs bill targeting ethnic studies". According to the story, “State schools chief Tom Horne, who has pushed the bill for years, said he believes the Tucson school district’s Mexican-American studies program teaches Latino students that they are oppressed by white people.”

Like the immigration bill before it, the purpose of the education bill as described in the story doesn’t seem that objectionable to me. I understand the concerns that the immigration bill could lead to racial profiling. That is a legitimate concern, but doesn’t change the fact that illegal immigrants are here illegally. I'm glad the immigration bill specifically prohibits stopping someone just to ask about their citizenship, but only time will tell if law enforcement abides by that.

I also understand that this education bill could be used as a reason to stop teaching about the contributions minorities have made to this country. It shouldn’t, and there is nothing in the bill to prevent classes on Hispanic (or any other minority) influences on U.S. history. It only prohibits classes intended to only be taught to a specific group. I'm not surprised - if it's illegal to have schools for specific groups, why would it be legal to have classes set up that way?

I do object to the prohibition against teaching “ethnic solidarity." Being proud of your heritage could be considered “ethnic solidarity.” Everyone should be proud of their heritage, and there’s nothing wrong with schools teaching that. But you should be proud of your entire heritage. Whether you are a recent immigrant or your family has lived here for generations (or centuries), whatever continent your ancestors hailed from you should be able to look to your entire history, both your ancestry and your nation, for a sense of pride in your heritage. Schools should promote that. To promote that they should be helping students realize that even though we are all different, we all share many things in common. Apparently the Tucson school districts ethnic studies program doesn’t always do that. According to the AP story:

"Horne, a Republican running for attorney general, said the program promotes "ethnic chauvinism" and racial resentment toward whites while segregating students by race. He's been trying to restrict it ever since he learned that Hispanic civil rights activist Dolores Huerta told students in 2006 that "Republicans hate Latinos."

It’s one thing to promote pride in your heritage. It’s another thing entirely to promote hatred, and that is what you are doing when you tell someone that an entire group of people hates them.

Both of these bills are controversial, although the neither bill should be. Not if they were really written and passed for the stated reasons. Enforcing the law is the duty of law enforcement officers. I believe the oath most of them take is to enforce laws of the community, state and country, not just the laws of whatever level of government (city, state or federal) happens to employ them. Schools are supposed to teach kids and to prepare them for life - and make them productive, loyal citizens. Like it or not, propaganda has always been one purpose of the public school system. It is a legitimate purpose. No modern society can survive if it's children are taught to hate and distrust people who are different - different people are part of our society.

Teaching the bad things that happened in the past does not have to be divisive or disruptive - and should not be. Enforcing legitimate laws - for instance, laws requiring visitors to our country to go through the same established legal channels our citizens have to go through to visit their countries - should not be divisive or disruptive. But sensational headlines and soundbites can cause them to be. So can poorly thought out or carelessly worded laws.

So does Arizona have the right idea? Should we be taking steps to enforce immigration laws? Before you answer, maybe you should cross illegaly into Mexico, Canada, or any European nation and see what happens if you get caught. Should we prohibit/monitor what is taught in classes to make sure it is for the common good? Should we make sure that classes that teach about the contributions of non-caucasions to our country are taught to everyone, so all students benefit from them? Better yet, should we make sure that those contributions are part of the standard classes - requiring that they be taught, not just that they appear in the textbooks?

Based on what I know of the two laws, I would say that they do have the right idea. If giving current illegals amnesty and a path to citizenship worked to discourage illegal immigration, we wouldn't be having this discussion. If an activist speaker was allowed to sat that Republicans (widely portrayed as all rich white people) "hate latinos," that's promoting racial tension, and should not be allowed in schools. Would she have said that if it was a class of all ethnicities? Would she have wanted to speak to such a class? I don't know. And I don't have a problem with her being asked to speak to a class. I do have a problem with classes being used to promote a particular political party or cause, and that's why I think Arizona has it right on the education bill, too.

Wednesday, May 12, 2010

Could Buzz become Facebook for education?

In his blog entry on ZDNet, "A social networking call to arms" Christopher Dawson looked at Google as the potential social networking provider for education and business. He makes some good points. In the past Google has been considered a nemesis of personal privacy for their retention of user search and email data long after the fact. But they have responded to their users concerns by limiting the time data is kept, and when they made the major blunder at the introduction of Buzz were quick to fix the problem. Facebook, on the other hand, is continually expanding what user information is considered public without consulting users or seeming to care about their wishes. Schools have to keep certain data private, and Facebook does not allow that.

There was a time when Facebook might have been useful as a tool for teachers. That time is long past. But a social network run by Google could work. Google does not make change their privacy policy every six months (or less) in an effort to make more of the user data public. And Google has experience providing secure services in the cloud to businesses already. They already have most of the ingredients of a successful social media site if they can find a way to tie them all together. Google Search, Google Reader, Youtube, Blogger and Google's handling of privacy issues are some pieces of the puzzle. All Google needs is a way to package them together that satisfies the privacy and security needs of educational institutions while providing the social experience people want.

Tuesday, May 11, 2010

Facebook users love sex!

Shira Lazar of reports that Dan Zarella has written an algorithm that analyzes social media posts and create a psychological profile of the poster. And according to his analysis of 12,000 posts (posts, not users posts), Facebook users love sex. I have to wonder if his sample is large enough to be statistically significant, and how he selected them, but it still puts that English researchers conclusions about Facebook and syphilis in a new light.

I also have to wonder how many of those people posting about sex will have reason to regret it later.

Monday, May 10, 2010

More Homeland (in)Security

In a report on Yahoo News, EILEEN SULLIVAN and MATT APUZZO of the Associated press tell us why Faisal Shahzad was almost able to leave the country by plane after his alleged failed bombing attempt. It's a sad statement that just four months after dumb luck kept the crotchbomber from blowing himself and his fellow passengers out of the sky in a plane he shouldn't have been able to board, dumb luck again prevents a terrorist wannabe from igniting his bomb - and in this instance, escaping by boarding a plane he should never have been able to board.

This sad statement on U.S. security reminded me of an almost 4 year old blog post by Bruce Schneier on the arrests in July, 2006 of terrorists reportedly hoping to set off a so-called "binary explosive" - something apparently extremely difficult to do. Regardless of the likelihood of that scenario, Mr. Schneier makes some very good points:

"None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests. And they wouldn't have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn't have made a difference, either.

Instead, the arrests are a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot."

Last Christmas's intelligence fiasco points out the same thing. In 2001 we had a massive intelligence failure - all the pieces were there, but inter-agency, even intra-agency, rivalry prevented the all the pieces being gathered to be put together. In December 2009 all the pieces were there, but were ignored, or not communicated in a timely manner. In the two incidents of the last 6 months the terrorist boarded an international flight despite being on the no-fly list. All of this shows that we don't need more ways for the government to monitor and spy on us. Adding new ways to gather information so it can be misused - or not used at all - is not an answer. We need to make proper use of the methods we already have in place. Then we can know what is working and what needs changing.

Friday, May 7, 2010

Facebook - Too big to regulate?

Robert Scoble of the Scobleiezer blog expressed the opinion last week that it is too late to regulate Facebook. He raises some good points, but I think he is missing a couple of things, too. He raises several points, covering both what Facebook has done, and what governments might do to regulate it (and why it's moot to try).

For his discussion of what Facebook has done and why it's shaking up internet businesses that never expected Facebook to have any impact on them, read his post. It's interesting (and troubling), but for my purposes, what he says about the futility of trying to regulate Facebook is more important.

So what exactly does Mr. Scoble think governments can do to Facebook? Effectively, not much, because anything they do will have either no effect or the opposite of the intended effect. But he does list three things governments can do - four reasons it won't matter if they do - along with my comments in italics:
Well, first of all, what can government do?

1. They can force Facebook to switch its defaults on its new Instant Personalization program. The government could force Facebook to turn that feature off by default and make me “opt in” for you to see my Pandora music.

2. They could fine Facebook for its behavior.

3. They could call Mark Zuckerberg in front of Congress and call him nasty names.

But what else could the government do? I don’t see too many options. Do you?

So, why is it too late to regulate Facebook?

1. The damage is done. Well, let’s assume they made them switch Instant Personalization to opt in. Who cares? The damage is done. My Pandora already has all your music shared with me. Most Facebook members won’t change their privacy settings from what they already are. So, old users will keep sharing their music and only new members will be asked to opt in to these new privacy-sharing features.

Like he says, most people will never change their privacy settings, so this could actually be very effective. It's better if done quickly so as few people as possible notice, but until more services join up changing the settings from default-share to default-private will go largely unnoticed.

2. The regulation will come too slowly. Government never moves fast. Even when it’s motivated. So Zuckerberg has at least a few months to aggregate his power before Government slaps him on the hand. Government is not going to be able to prevent that top 50 website from putting Facebook’s new features into its service. Government will not keep me from using Pandora.

Unfortunately, this is very true. Governments act slow unless directly threatened (ie, Pearl Harbor or 9/11). Each month action is delayed action becomes more difficult.

3. The regulation will come after we get used to new privacy landscape. Already I’m finding I’m getting used to the fact that you all can see my data and that I can see yours. So, if Government comes along and tries to regulate that it will get pushback from me. Why? Well, I actually like the new Pandora features. I’m finding a ton of cool music because Zuckerberg forced you to give up some of your privacy. So what that I can see that you like Kenny G? Users will get addicted to these new features and they won’t take kindly to some government jerk taking away these new features.

Again, very true. The unfortunate truth is that users will decide they're willing to lose a little privacy for these nice features, but won't realize how much privacy they're giving up until it's too late.

4. Giving Zuckerberg a fine will not change Facebook’s behavior. If anything it will just push him to monetize these features more aggressively in order to pay the fine. Just wait until Cocacola icons show up next to all those Facebook like buttons. Government taxation, which really is what fines are, might have a negative effect long term.

Sadly, Mr Scoble knows what he's talking about. Fines will have as much effect as they did on Microsoft. The threat of being broken into three companies scared MS, not fines. And even that had little effect.

Robert is right. Of the three options he sees, only one has any chance of success. Government intervention could make some changes to the way Facebook handles user data, but unless it's done quickly, it will just be going through the motions. It's up to the users of Facebook to force Mark Zuckerberg to respect their privacy. Sadly, most don't realize the value of what they are giving up to him, so they are unlikely to do anything.

Thursday, May 6, 2010

Facebook exposes private chats

In the Bits blog Nick Boltin reports on the Facebook bug that exposed private chats to public scrutiny. Facebook claims the bug was only live a few hours, and has shut down chat until the bug can be fixed (perhaps by the time you read this). This can't help Facebooks reputation in the eyes of the Electronic Frontier Foundation or Senator Charles Schumer (D, NY). Senator Schumer is one of the Senators calling on the FTC to craft privacy guidelines for social networks.

I'm not sure this was really an accident. Yes, I'm being paranoid and cynical, but the Facebook business model is to push for users to make everything public. I wouldn't be surprised if this was a 'live test' to see what kind of reaction results from this "bug".

Wednesday, May 5, 2010

10 reasons to leave Facebook

This post is a direct copy of Dan Yoder's April 26th post on his blog used in accordance with his Creative Commons Attribution-Share Alike license.

Top Ten Reasons You Should Quit Facebook

DateMon Apr-26 2010 | AuthorDan Yoder

Ban FacebookLet's all ban Facebook!

Update: Due to the surprising popularity of this post, I feel I should be absolutely clear about my role as VP of Engineering for a Hollywood-based social media startup, BorderStylo. The opinions expressed here are purely my own and are not in any way endorsed by my employer. While I do not see our applications as directly competitive to Facebook, nor have I presented them as such, it would be disingenuous not to mention this.

Tuesday, May 4, 2010

Alcohol + camera + Facebook = no play

Greg Cergol from reports that several lacrosse players at Ward Melville High School in New York were suspended when school officials saw pictures of them drinking on Facebook.

Fifteen lacrosse players were suspended because of the pictures - six of them indefinitely. This kind of occurrence isn't anything new, although this may be the largest group of high school students to hose themselves on Facebook to date. If I had any illusions about high school students thinking about how private Facebook really is, my favorite quote from the article would have disabused me:
"Maybe it's not the smartest move to have put the photos up," said senior Teddy Ouwerkerk. "I guess Facebook isn't the most private after all."

Monday, May 3, 2010

Facebook users risk blackmail

Everyone who follows this blog knows that I do not like the way Facebook pretends to protect our privacy. But my statements pale in comparison to what Jennifer Stoddart, Canada's Privacy Czar, has to say. In a story in the Globe and Mail she says:
“I’m very concerned about these changes. More than half a million developers will have access to this data. The information will be stored indefinitely and it opens the possibility that a lot of people can be blackmailed from all corners of the world.”

That's a pretty strong assertion. I'm not sure how real a danger that is, but I understand her concern. It's embodied in another quote regarding how well Facebook is living up to the promise it made to the Canadian government to better protect members privacy. After the privacy changes announced last week she said, “They certainly seem to be moving in the opposite direction."

It's true that the constant privacy policy rewrites by Facebook would be better called 'personal publicity faciliators'. And with the odd, bewildering, and downright idiotic things that people post on Facebook blackmailable data will probably be posted by more than a few people. But once it's been posted to Facebook, how much of a lever can it be for blackmail?