Friday, July 30, 2010

Google steps up for Android users

Spencer Ante at the Wall Street Journal tells us that Google has disabled apps caught spying on users by gathering information and sending it as cleartext to a server. According to security researchers there were 80 apps that were gathering user data, but all were from one developer.

Google and Apple both require users be notified before apps collect personal data, but many people don't pay enough attention to what phone apps tell them is being gathered. Do you know what information is being gathered from your phone?

Thursday, July 29, 2010

Court ok's privacy advocate publishing social security numbers on line

At Wired's Threatlevel blog David Kravets reports that BJ Ostergren has won her fight with the Virginia Attorney General, at least for now. Ostergren posted the Social Security numbers of elected officials on her site, The Virginia Watchdog. Ordinarily I would be against publishing privacy information, but there was a purpose - getting officials to begin redacting personal information from public records online. The information she posted was obtained from online public records, no laws were broken obtaining it. Posting it, on the other hand, ran afoul of a Virginia law prohibiting publishing private information.

An appeals court ruled in favor of Ostergren, saying that her first amendment rights and the purpose of her site outweighed the state law:

“We find particularly significant just how Ostergren communicates SSNs. She does not simply list them beside people’s names but rather provides copies of entire documents maintained by government officials,” the court said Monday. “Given her criticism about how public records are managed, (.pdf) we cannot see how drawing attention to the problem by displaying those very documents could be considered unprotected speech.”

Sometimes the subtle approach works, other times a brick to the head is required. Virginia is now in the process of redacting millions of online records.

Wednesday, July 28, 2010

How secure is your wireless network?

Thanks, Kenny for pointing me to WPA Cracker, an online tool that will help you test your wireless network's security/find your lost network password for a marginal fee.The service is operated by Moxie Marlinspike, an independent security researcher and The Institute for Disruptive Studies.

This is an interesting service. They don't seem to care much who they are "helping" - they don't ask for more than an email address, network capture and the ESSID. You have to pay them using an Amazon account - but if you use a pre-loaded "credit card" and a generic email account, you can protect yourself from casual scrutiny.

WPA Cracker will hit a network with either dictionary or brute force attacks. Dictionary attacks are exactly what they sound like. The attacker has a file - the "dictionary" - that contains any words, phrases, leet-speak, etc that might be used as a password. Dictionary attacks can be very successful because many people use the same passwords. Password, for instance, is one of the most common passwords.

But as successful as dictionary attacks can be, they may not get you access to the account you want because the person is a little more aware, or just plain paranoid, and uses a password generator or creates their own random passwords. While dictionaries can be extensive, they can't cover every possible combination of characters, especially if the password is very long (6 or more characters, at least). To cover those types of passwords, WPA Cracker uses brute force attacks. Brute force attacks will try every possible combination of characters for as long or as short a password as you specify. It can start with single characters and work up to as many as needed. Brute force attacks can take a very long time, depending on the length and complexity of the passwords.

It doesn't matter how complex your password is if someone is willing to put unlimited time into brute forcing it, but security is never about making a position impenetrable, it's about making penetration so hard the enemy decides it's not worth the effort required.

When it comes to passwords, which is going to be harder to discover, whether using dictionary or brute force attacks:




Of course, that last is almost impossible to remember, so try to find a happy medium with your passwords. That will make you more secure than 98% of the rest of the world.

Need secure data storage accessible to your Mac's & PC's?


I was looking at MacMerc today and saw that 1Password, has integrated with Dropbox to provide secure data synchronization between Macs. 1Password is a password manager and more. To quote Rick at MacMerc:

"As you can see, 1Password is a highly secure database for keeping track of web site logins, but it also handles notes, credit cards, bank accounts, and software registration information."

That's pretty good, but using Dropbox sync data between computers is just cool. Dropbox is a secure online backup solution similar to Carbonite, but free for up to two gigs of data. To make things even better, Dropbox is cross-platform with Windows, Mac, and Linux. And 1Password for Windows is now in public beta. 

1Password is a commercial product that runs you $39.95 (Windows beta is free), but that's a one time cost, and Dropbox is free unless you go over 2 gigs data. So in the sub-2gig zone 1Password + Dropbox does more and is a bargain compared to Carbonite with it's annual fee.


Monday, July 26, 2010

Yahoo operates using 'situational rights'

David Kravets of the 'Threat Level' blog at reports that Yahoo is "arguing out of both sides of its web portal" in it's response to a suit filed by Chinese dissidents whose information was surrendered to Chinese authorities by Yahoo - resulting in their arrest and torture.

Yahoo is claiming that all it did is follow Chinese law - and that the First Amendment protects its right to deal with the Chinese government. Yahoo further argues that U.S. courts are not the proper place for the case, despite a U.S. statute allowing exactly this type of case. Kravets quotes Yahoo as saying:

"This is a lawsuit by citizens of China imprisoned for using the Internet in China to express political views in violation of China law. It is a political case challenging the laws and actions of the Chinese government," Yahoo told the court. "It has no place in the American courts."

That sounds legitimate, I suppose, from a corporate standpoint. If you ignore the fact that they would not have been imprisoned, or at least not as soon, if Yahoo hadn't ratted, er, provided the Chinese government with the information needed to locate them. It looks worse when Kravets provides a little background info on Yahoo's fress speech claims:

Yet two years ago, while citing the First Amendment, Yahoo went to the U.S. courts in a bid to prevent it from having to pay millions in fines levied by a French court for allowing French citizens to barter Nazi paraphernalia on its auction site _ a practice against French law.

That sounds like Yahoo wants to argue that free speech should be protected if you're selling stuff on their site, but not if you're complaining against your repressive government. Ignoring problems I have with the idea that selling = free speech, it sounds to me like Yahoo is having a serious case of corporate double standard. What do you think?

Friday, July 23, 2010

Lying is protected First Amendment speech (don't tell the kids)

In a decision filed on July 16th (pdf - p1, p2 etc refer to the pdf pages) US District Judge Robert E. Blackburn stated:

The matter before me is defendant’s Motion To Dismiss Information [#13] 1 filed December 2, 2009. Having considered the motion and response and their supplements, as well as the arguments and authorities presented by amicus curiae, 2 I find and conclude that the statute under which defendant is charged is unconstitutional as a content-based restriction on First Amendment speech that is not narrowly tailored to serve a compelling government interest. Accordingly, I grant the motion. (p1)

Sounds fair. Let's see just what this protected speech is:

The Amended Information charges defendant with falsely representing himself to have been awarded a Purple Heart on four different occasions in 2006 and 2009, and falsely representing that he had been awarded a Silver Star on one occasion in 2009. By the instant motion, defendant seeks to dismiss these charges, arguing that the Act is facially invalid as a content-based restriction on free speech. (p2)

So the judge is dismissing the charges because the statute the defendant is charged under violates the First Amendment. Without even looking at what the statute says, based on the above paragraph, the judge appears to be saying that lies are protected free speech. What is the statute, and what does it say? It's Section 18 Section 704 of the United States Code. Part 'a' states:

(a) In General.— Whoever knowingly wears, purchases, attempts to purchase, solicits for purchase, mails, ships, imports, exports, produces blank certificates of receipt for, manufactures, sells, attempts to sell, advertises for sale, trades, barters, or exchanges for anything of value any decoration or medal authorized by Congress for the armed forces of the United States, or any of the service medals or badges awarded to the members of such forces, or the ribbon, button, or rosette of any such badge, decoration or medal, or any colorable imitation thereof, except when authorized under regulations made pursuant to law, shall be fined under this title or imprisoned not more than six months, or both. (from US code at Cornell Legal Information Institute)

Sections 'b' and 'c' covers specific fake medals. This law says that it is illegal to pass yourself as a member of the armed services, and to pass yourself off as having earned awards you have not.

What in the world does this case have to do with free speech? It has to do with lying and misrepresenting yourself. According to this decision I can pass myself off as a cop. Or a doctor. Do I even have to worry about committing perjury?

To make matters worse, the judge admits that he can find only one other case that examines the First Amendment implications of this act - and that case upheld it:

The only other court that appears to have addressed the constitutionality of the Stolen Valor Act relied on a similar rationale in rejecting a defendant’s First Amendment challenge to the statute. (See id. App, Exh. A (Order Denying Defendant’s Motion To Dismiss, United States v. Alvarez, CR 07-1035(A)-RGK).)

I am not so sanguine. The government’s argument, which invites it to determine what topics of speech “matter” enough for the citizenry to hear, is troubling...  (p3)

Judge Blackburn goes on to mention a few First Amendment cases that really don't relate. He quotes from Riley v. National Federation of the Blind of North Carolina:

The very purpose of the First Amendment is to foreclose public authority from assuming a guardianship of the public mind through regulating the press, speech, and religion. To this end, the government, even with the purest of motives, may not substitute its judgment as to how best to speak for that of speakers and listeners. (p3-4)

This case is not about guarding the public mind or regulating any aspect of press, speech or religion. It's about people committing fraud, pretending to be decorated service men and women to gain benefits they would not otherwise gain from the people around them.

Well, I'm not going to go through the entire 14 page pdf here. He goes on to quote other cases and talks about what he considers the biggest weakness of the law:

The principal difficulty I perceive in trying to shoehorn the Stolen Valor Act into the First Amendment fraud exception is that the Act, although addressing potentially fraudulent statements, does not further require that anyone have been actually mislead, defrauded, or deceived by such misrepresentations. (p6)

Ok, we're not talking about a guy staging a play. We're talking about Rick Glen Strandlof. According to the Denver Post he is a man used an alias and made false claims about being at the Pentagon on 9/11 and in Iraq. Apparently he never served at all. Somehow, despite the fact that he misled hundreds, if not thousands, of people and solicited money from them under false pretenses - damaging the image of anyone coming after him trying to raise awareness of and/or money for veterans issues - the ACLU and this judge have decided that he harmed no one by falsely claim to be a decorated veteran.

An article in the Huffington Post ends with a wonderful quote from ACLU attorney Christopher P. Beall:

The government position was that any speech that's false is not protected by the First Amendment. That proposition is very dangerous," Beall said.

Ok, I guess I can see why he says that, but it still ranks as one of the most ridiculous on-the-face-of-it quotes I've seen in a while. Especially when used in defense of someone who undertook to commit a long term, detailed and potentially very lucrative fraud.

If you'd like to read the rest of the decision, you can download the pdf here.

Student sued for dissin' company on Facebook

Meaghan M. Norman of WILX News 10, Lansing, MI reports that Justin Kurtz, a 21 year old student is being sued because he put up a Facebook page complaining about the business practices of T&J towing. They allegedly towed his car when it was properly parked, tried to scrape off the parking sticker, and then made him pay for the illegal tow.

Justin created the page because he wondered if anyone else had problems with the towing company. 14,000 fans later T&J towing decided they should do something and sued him for defamation.

Justin isn't cowed, and refuses to take down the page. He believes the suit is an attempt to intimidate him.

I don't know who's going to win, but it's good to see another way Facebook can be used to improve the world (one little step at a time) and to see someone who will stand up for what's right.

Wednesday, July 21, 2010

Security, like all things, best in moderation

The Washington Post is publishing a series on the state of the United States Security Community, and it's pretty interesting. For example:

* Many security and intelligence agencies do the same work, creating redundancy and waste. For example, 51 federal organizations and military commands, operating in 15 U.S. cities, track the flow of money to and from terrorist networks.

* Analysts who make sense of documents and conversations obtained by foreign and domestic spying share their judgment by publishing 50,000 intelligence reports each year - a volume so large that many are routinely ignored.

Wow. 51 agencies tracking money. 50,000 intelligence reports a year. I've been saying for a long time that the biggest problems leading up to 9/11 weren't lack of information, but too much information and too little communication. In the 9 years since then we have only added to the problem.  In describing their data gathering, the Post said;

The Post's online database of government organizations and private companies was built entirely on public records. The investigation focused on top-secret work because the amount classified at the secret level is too large to accurately track.

That's scary. The article quotes several sources who say there is no process in place to keep track of all of the inter-agency information, even for the few people who are in a position to try. What's scarier is that means we can't know if all that manpower, information gathering, and money tracking is doing any good. Add to those the fact that we've had recent near miss terrorist attacks in the U.S. and you realize that there is going to be another successful attack. The only question is, how severe will it be?

I recommend checking the Top Secret America website and reading the entire series as it comes out this week, although I admit it will be a bear. The first installment Monday was 17 screens long.