Friday, October 29, 2010

Midland, Arkansas school board member resigns over Facebook comments

It started Tuesday...well, it actually started Sunday or Monday, but it became a national spectacle Tuesday when "The Advocate" reported that a school board member in Arkansas was saying he wanted gays dead on his Facebook page.

Clint McCance was definitely old enough to know better. He made what he probably thought were cute, funny comments (they weren't) that his friends would laugh at. But the report in "The Advocate" had a screenshot of McCance's Facebook wall, and he was officially outed as a gay hating bigot. He probably isn't, he's probably just an unlucky, careless schmuck.

With thousands of hate mails, emails, and more than a few death threats bombarding him Mr. McCance sent his family away for their safety and resigned his school board seat. He is forever branded in the blogosphere as an Evil Man.

I don't care how secure your Facebook is, if you have friended people, it's insecure. Once something is online it's fair game for everyone. Don't put anything online you wouldn't want all of your friends and family to see.

Thursday, October 28, 2010

Welcome to the world of dangerous malware, OS X

We have another piece of malware for MacOS X. Once again, it had a few moments of fame, but is a dud because it doesn't actually do anything. But there is a difference this time, and that difference makes OSX/Koobface.A potentially a serious threat to Mac users.

Until now all of the malware created for OS X has been distributed through relatively limited channels. Compared to Facebook and Twitter, extremely limited channels. A few porn sites and a couple of infected pirated programs add up to next to no traction for Mac malware. But a variant of a successful Windows trojan written in Java so it attacks all the major computing platforms and spreads through Facebook and/or Twitter and you have malware gold. The only thing that prevented a major outbreak of MacOS malware was what appears to be a bug in the malware that prevents it from downloading the files that would infect the computer.

This piece of malware suffers from the same weakness any Mac malware has - the user has to ok the install. You hope that Mac users wouldn't be that careless, but the truth is Mac users are people, and a lot of people hit those dialogs without thinking.

With somewhere around 600,000,000 users on Facebook there should be about 60,000,000 Mac users. If only 10% of them allowed the trojan to be installed that would be 6 MILLION infected Mac's. Plus all the infected Windows computers since it's a cross platform piece of malware. All it will take is a bug fix and OSX/Koobface.A will be the first successful piece of OS X malware.

But even if it does get fixed you and I don't have to be victims. Don't click on links posted to your wall or twitter feed without verifying their authenticity. Don't authorize any installations that you don't initiate yourself.

It always feels like there should be a third item in the list. But those two will probably be enough. Until someone finds and uses an OS X exploit that allows privilege escalation.

If you want more details about all the things OSX/Koobface.A will do once it's fixed, check out Intego's writeup.

Mac OS X Trojan - real, but broken

It's the real deal, but broken, so it's mostly harmless for now. But when I say broken, I mean fixable. So at any moment it may become dangerous. If you receive an update saying something to the affect of:


Are you in this video?


Don't click on it.

This is a variant of the koobface trojan written in java. That means it will also affect Windows and *nix variants.

Yes, fellow Apple fans, we've now seen a how a real, potentially serious trojan for OS X can be done.


Wednesday, October 27, 2010

Is Apple's Mac App store a game changer?

The Mac App Store is coming in roughly 90 days. Steve is excited, and so are quite a few other people. According to two articles with brief developer interviews on Cult of Mac Most developers are looking forward to it. (1, 2) They also aren't sure exactly how it's going to work into their business strategies, yet, but they're excited about figuring it out.

What does an App store on Mac mean to the rest of us, though? It's hard to say right now, but the idea of high quality software for $0 and up is enticing. The software in the iPhone/iPad app store is generally of high quality. Apple's App review policy ensures that it stays that way.

Will the App store put an end to traditional software distribution? I doubt it. Not in the near future anyway. Apple wants 30% of the apps sale price, which won't fly with companies like Adobe or Microsoft. Not to mention that internet speeds are still slow enough in many places that downloading the installer for something like the Adobe Creative Suite - especially the Master Collection - would take too long for most people. But Adobe and Microsoft may find themselves left in the cold if they continue to push bloated programs that no one can truly master because no one uses most of the 'features' they have. Why spend $150 for a program that does more than you'll ever need if you can spend $20 and get a compatible program that will do everything you do need?

Another good thing for consumers is that Apple's approval process, while flawed, does create a minimum quality that developers won't be allowed to fall below. It will put a dent in shareware on the Mac, if not kill it. Why hunt for shareware of questionable quality when you can go to the app store and download an app you know will at least do what it says, and probably cheaper than a shareware program.

What about competitors? Will Microsoft create an App store for desktop Windows? For all versions? What about Google and the Chrome OS? If they do, will either have an approval process similar to Apple's? I can already answer that last question. They won't. Google's Android has an app store, but there is no review process that I'm aware of. Microsoft won't because it's not in the companies DNA. Steve Jobs has always been a micromanager, at least of projects he's really interested in. He has always wanted to control as much about the Mac's user experience as he can. The App store is one more step to total control.

If successful the Mac App store will have a profound change on software delivery on the Mac, and quickly. It's already having an effect. The effect it will have on other OS's is harder to predict, but unless it totally flops, it will have an effect. If it is as popular as the iPhone app store, Microsoft will have an App store for Windows by Summer 2011 at the very latest. They're probably already working on one. So the Mac App store has kept a few Microsoft software engineers employed for a few more months even if it flops.



Tuesday, October 26, 2010

Amazon wins customer protection case.

Declan McCullagh of CNET reports that Amazon has won it's case against the state of North Carolina. Amazon doesn't have a physical presence in N.C., so the state can't collect sales tax on items sold on Amazon. But North Carolina has a usage tax that is supposed to be paid by citizens of the state. Because the tax wasn't being collected N.C. wants Amazon to give up the names and items purchased by citizens of N.C. so they can be charged for the tax.

Amazon had offered anonymized data, but the state wouldn't accept it. The judge ruled that the N.C. was asking for more information than it had a right to. In addition, the data ran afoul of the First Amendment by giving the state access to information on what people were reading, watching, and listening to.

The decision was in line with previous court decisions on states asking etailers for customer information. States have no need to know exactly what we purchase unless they have reason to believe we are breaking the law. Even then they should need a court order or search warrant.

Monday, October 25, 2010

33 States ok online voting, but it's not ready reports that there are 33 states allowing some form of online voting. But there are serious questions about the security of the systems.

There should be some concern just because the system is only as secure as the system the voter is on. But in one test by a team from the University of Michigan had complete control of one of the systems in 36 hours. Worse, they discovered other hackers, some from hostile foreign powers, trying to break in, too.

At this time there really isn't any way to guarantee the security of online voting. There is no standard to test against, no agreed development strategies, no real checks an balances. This election might be safe enough, but what about the Presidential election in 2012? What if in a close election a foreign power can take control of 5% of the votes? Or in a really close election, .5% of the vote?

Online voting is coming, and it will be a good thing. But implementing it must be done in a proper and careful manner. Accepting online ballots without proper development and testing opens our political system to manipulation by people who would benefit by affecting the outcome of elections. Sometimes it wouldn't even be necessary to determine the outcome. Sometimes controlling how close a vote is will change policy.

Making sure online voting is secure should be of the highest priority. Contact your state and federal representatives and tell them not to adopt any online voting system until it has been fully tested and certified secure.

Friday, October 22, 2010

Esther Dyson to marketers: wise up

After years of tracking users as quietly as possible and feigning shock when caught, somebody in marketing gets it. Liz Gannes of reports that Esther Dyson, chairman of Edventure Holdings spoke to the Pivot Marketing Conference.

Ms. Dyson has a clear message to marketers, and it can be summed up easily. Communicate. Get rid of the complicated, obfuscating privacy policies. Use the same targeting skills you use on ads to tailor your message to the individual surfer, tell them what you are gathering, why, and what you are doing with it. Then, give them the real option to opt out. Her assertion is that many won't because once they know how they benefit by being tracked they won't want to lose it.

I don't know why that is so hard to figure out - although I'm not sure I like the idea of them using the information illicitly gathered to craft a message especially designed to convince me to give more information. But it would be too much to expect that marketers would simply open up and let us choose. They have the information, and the don't want to lose the source.

Esther Dyson marveled that marketers can figure out how to target ads to individuals but can't figure out how to target the message that tracking benefits them. She is correct on both counts. It's amazing that marketers haven't figured out how to create targeted messages about tracking, and there are benefits to being tracked. I don't think the benefits are worth it. You might disagree. But neither of us is being allowed to make that choice, and that is the problem.

Thursday, October 21, 2010

Med students don't understand confidentiality

George Hulme of InformationWeek blogged about medical students tweeting about patients He referenced a Time article that shed more even more light on the subject.

The brunt of both articles is that medical students think what they put on their personal accounts is private. For some reason they think that walking out of the hospital and sitting at their own computer puts them outside the constraints of HIPAA. I'm here to tell them, "You are always under the constraints of HIPAA." This is even worse than the Oxford students a couple of years ago who thought they're privacy was violated when the school provost saw pictures of them acting like fools on Facebook. If you put it online, it's not private. If it's somebody else's private (especially medical) information, you're risking fines, convictions, and job or career loss.

Be careful what you put online. It will bite you in the butt.

Wednesday, October 20, 2010

Big Brother - it's not who you think

George Orwell foresaw a future with no privacy and no security from government control. We aren't there yet. Not with the government. With corporations it's almost completely a done deal. But that can be changed.

It can be changed, but only if enough people are willing to take charge of their own information. Willing to be inconvenienced by denying cookies and turning off scripting. Willing to use private browsing all the time. Willing to leave Facebook until it the privacy policy is improved and enforced. In short, willing to force corporate America to change the way they gather marketing information.

Don't think it will be easy. The tracking information gathered when we search, buy, or just surf the web has become almost indispensable. Or at least corporations think it has. They won't willingly give it up.

I'm not sure most of us will be willing to give it up, either. A lot of the convenience of the web is a direct result of that data gathering. The nice personalized pages, the suggested items on eBay, Amazon, etc. are all a result of gathering and keeping data. Using your Facebook or Twitter sign-in to log-in to other sites requires gathering and sharing data.

Most of these things could probably be done with less tracking and data gathering. But they won't be unless we insist on it. And without insisting on simplified privacy policies written in plain English things will go back to the way they were. The sad truth is, even with privacy policies, the data gathered and held is still outside of our control.

The truth is, to enjoy any activity there has to be give and take. It only becomes a problem when one side either doesn't know what it's giving, or the exchange is far more beneficial to one side than the other. Most people do not realize just what they are giving up simply by participating in online life. If they did, they might not think they were getting their money's worth. They should be given the opportunity to make that choice.

If you would like to get a basic idea of just what can be figured out about you online you might try searching for your own name in Google, Bing and Yahoo. Depending on how active you are online, you might be surprised.

Tuesday, October 19, 2010

Facebook apps transmitting users, friends data

Facebook apps are broadcasting user data. That's against Facebooks privacy policy. Worse, at least some of the apps are also broadcasting the users friends data. Emily Steel and Geoffrey A. Fowler of the Wall Street Journal reported that tens of millions of users are affected, even if they have their privacy settings set to the strictest privacy Facebook allows.

A short while later Mr. Fowler reported that this "breach" is severe enough the co-chairs of the House Bipartisan Privacy Caucus, Representatives Edward Markey (D, Mass) and Joe Barton (R, Texas) sent Facebook founder Mark Zuckerberg a letter of concern.

This isn't a new issue. There have been similar problems found with Facebook in the past. The problem is that Facebook - and a host of other companies - have a business models that require gathering and analyzing user data. The more data they can gather, the better the information they can sell to other parties.

It wasn't just names that were gathered. Facebook ID numbers were gathered. Then they were either sold to other companies or put in cookies for tracking. Of course, all of the companies involved say they didn't store, collect or use any of this information

I have a Facebook account for the purpose of seeing the changes they make to their privacy settings and policies. I had thought about breaking down and actually using it. But until Facebook gives me actual control over my information, it's not happening. When my friends can involuntarily give up my information, that's more than a problem, that's criminal.

Monday, October 18, 2010

COICA: RIAA and MPAA at it again?

In the comments on Friday's postI said I might talk about the free speech problems inherent in the administrations desire to wiretap the internet. That's not happening today, although it's still an important topic. Today we are going to talk about COICA, the "Combating Online Infringements and Counterfeits Act". The Electronic Frontier Foundation has a very good resource page, including a list of legitimate and pseudo-legitimate sites that could be taken down using COICA, and a page explaining why.

This bill (S111=3804) does what has never been done in the United States - it censors the internet. Probably in a much more far-reaching manner than expected by the Senate, or by the groups pushing for it. If it is as effective as it's elder brother, the DMCA, it will also have little effect on criminal, but will have far more serious effect on law-abiding citizens.

Actually, this ties in with my concern over the proposal to make the wiretap friendly. Businesses such as and Mozy.comstore your data encrypted. They cannot access it because they don't have your encryption key. Then there are free sites like Dropbox and Carbonite and Mozy are for-profit businesses, and presumably can prove that their primary purpose is not sharing pirated music and/or movies. Dropbox and Oosah may have a harder time. And if push came to shove, none of them could prove the files on their servers are not stolen intellectual property - unless they have the ability to decrypt their customers files. So to make COICA work they will have to make the internet wiretap friendly. Except that still won't make COICA work, it will just harm legitimate businesses and services.

If I were into conspiracy theories I'd say we were seeing a two pronged attack. If the RIAA amd MPAA can get COICA passed, the 'wiretap bill' (whatever it will be called) will be passed because it COICA will require it to be able to prove a site's primary purpose is piracy. It could even be made part of COICA. The Fed, the MPAA and RIAA would all get what they want. It wouldn't work the way they expect it to, because the bad guys don't obey the law. Steve Gibson of the Security Now (show transcript)podcast stated the problems well:

Well, and you end up with cat and mouse, too. You end up with those sites that are blacklisted register under a different name. And for a while they're there, until the blacklist catches up with them. And then they move again. I mean, the whole thing is just brain dead. It makes no sense. But we have a problem, and that is that we're dealing with technology that the legislatures probably don't understand. And who knows what the unintended consequences are going to be. But the idea that we're facing state-sponsored censorship of the Internet...

The bill specifies that domain names will be blacklisted. That's wonderful, but blacklisting a domain name may not be enough. The bill does not mention IP addresses, and I don't think those get blocked if the domain name is. If the IP address isn't blacklisted, then the whole thing is an exercise in futility. All the domain name system does is say, "IP address will map to domain name "" If you type in the IP address you'll get to the site, even if the domain name is blacklisted.

When it comes to wiretapping the internet and putting backdoors on encryption, in the same podcast, Steve said:

Now, the problem is, and we said this a little bit at the top of the show, is this is too late. I mean, I completely sympathize with what law enforcement wants to do, with the dilemma they have. But this technology exists. It is in the public domain. It is in open source tools all over the world. It's already escaped. And there's nothing they can do about it.

What Steve is talking about, is that current encryption technology is pretty much uncrackable. The best way to crack it is to use things like rainbow tables and try to find collisions - which mean you find passwords that give the same results. The weaker or more common the password used, the easier it is to crack the encryption. So if you use "Rover" it may not take long to discover it through rainbow tables. "e3'w53eksw;1" may take centuries. That might not be such a big deal if encyrption software was proprietary, with every company creating it's own and keeping the codes and algorithms secret secret. But encryption technology is almost 100% created by people and teams who have given the code and algorithms free and clear for anyone to use. So if we install backdoors in our encryption products, the only people it will have any effect on will be law-abiding U.S. citizens. Criminals and foriegn citizens will not care because they can roll their own encryption software.

I haven't even talked about free speech, but it's late, so I'll leave this here for now.

Friday, October 15, 2010

Does the Constitution guarantee a "right to privacy?"

The announcement last week that the FBI wants to be able to 'wiretap the internet' has brought a lot of discussion about privacy rights, and whether they are granted by the Constitution. I thought that, although I'm not a lawyer, Constitutional or otherwise, I'd take a take a look. A quick scan of the Bill of Rights gives me the impression that most of the first 10 amendments to the Constitution deal with either freedom or security:

The 4th Amendment is the one associated with the right to privacy. It says, specifically:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

That seems to speak more to security than freedom. But privacy is implied - you can't have privacy without having security - it's kind of a byproduct. So there is an implication of privacy in the 4th Amendment. But is the implication enough to say that privacy is a right protected by the Constitution? Maybe if we look a little more we can find something a little more persuasive.

Amendment 1 - Freedom of Religion, Press, Expression. Ratified 12/15/1791.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Deals with both freedom and security. Freedom of speech, security to assemble and petition the Government.

Amendment 2 - Right to Bear Arms. Ratified 12/15/1791.

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

To me this is straight up security. And at least one founding father believed it applied to private citizens, not just military personnel:

"No free man shall ever be debarred the use of arms. The strongest reason for the people to retain the right to keep and bear arms is, as a last resort, to protect themselves against tyranny in government" Thomas Jefferson

If you'd like some food for thought, chew on this a little. Security and privacy cannot be separated. One of our assurances that we will continue to have both is the 2nd Amendment guarantee that all citizens have the right to "keep and bear arms."

Amendment 3 - Quartering of Soldiers. Ratified 12/15/1791.

No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.

This is a guarantee of both security and freedom. Even in time of war soldiers can't just be thrust into the homes of private citizens. There there may even be the implication that even in time of war citizens should be able to refuse to house soldiers

We looked at the 4th Amendment above, so on to the 5th:

Amendment 5 - Trial and Punishment, Compensation for Takings. Ratified 12/15/1791.

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

A strong defense of our security in our persons. And no small protection of privacy. The protection against self-incrimination is the ultimate protection of privacy. Even if the government is certain we are guilty, they have to prove it without forcing us to tell our secrets.

Amendment 6 - Right to Speedy Trial, Confrontation of Witnesses. Ratified 12/15/1791.

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence.

The 6th Amendment is all about securing the rights of the accused. It is the core of "innocent until proven guilty" and the right to a fair trial.

Amendment 7 - Trial by Jury in Civil Cases. Ratified 12/15/1791.

In Suits at common law, where the value in controversy shall exceed twenty dollars, the right of trial by jury shall be preserved, and no fact tried by a jury, shall be otherwise re-examined in any Court of the United States, than according to the rules of the common law.

This secures the right to jury trial for civil suits where a significant amount of money is involved. $20 was a lot more significant in the 18th century than it is now.

Amendment 8 - Cruel and Unusual Punishment. Ratified 12/15/1791.

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.

Another that protects both security and freedom. It secures our persons and our rights against cruel and vindictive actions by representatives of government.

Amendment 9 - Construction of Constitution. Ratified 12/15/1791.

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

This is all about security and freedom. It says that the the U.S. Constitution is an inclusive document, not an exclusive one. That means that it does not list all of the rights belonging to the people, and the fact that it doesn't does not mean the rights not listed are less important than the rights that are. So the fact that a right to privacy is not mentioned specifically means nothing. The fact that it is implied in several places means a lot.

Amendment 10 - Powers of the States and People. Ratified 12/15/1791.

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

This amendment protects the rights and freedoms of the States and the People by stating explicitly that if the the Constitution does not specifically state that a power is given to the Federal government, it belongs to either the States, or the people. Unfortunately phrases such as "common good" are so vague that they can, and have, been used to greatly expand the powers of Federal government.

Looking at the Bill of Rights, I see 1, 2, 4 and 5 dealing directly with personal security, and by implication, personal privacy. The 9th Amendment explicitly states that the rights listed in the Constitution are not the only rights we enjoy as citizens, which bolsters the case that we have a right to privacy and should quiet the people who say "There is no right to privacy in the Constitution. Whether it's there or not is irrelevant because the Constitution is not exclusive.

I'm not a lawyer, but it looks like someone with some (a lot of) money, time and a sharp lawyer could carefully pick a company or two that make use of internet data mining and sue them for violating our Constitutional right to privacy. Any takers?

U.S. Bill of Rights quoted from

Apple selling iPad through Verizon

Apple has announced that the iPad will available from both AT&T and Verizon stores on October 28th. The AT&T offering will be the standard selection, but Verison will only offer the iPad Wi-fi bundled with Verizons MiFi hotspot:

Verizon Wireless will offer three bundles, all featuring an iPad Wi-Fi model and a Verizon MiFi 2200 Intelligent Mobile Hotspot, for a suggested retail price of $629.99 for iPad Wi-Fi 16GB + MiFi, $729.99 for iPad Wi-Fi 32GB + MiFi and $829.99 for iPad Wi-Fi 64GB + MiFi. Verizon Wireless is offering a monthly access plan to iPad customers of up to 1GB of data for just $20 a month. In addition, Verizon Wireless will also offer all three iPad Wi-Fi models on a stand-alone basis.

“This is the perfect pairing for holiday travels,” said John Stratton, chief operating officer for Verizon Wireless. “iPad together with the nation’s largest and most reliable 3G data network allows customers to easily connect on the go wherever they are.”

This is a little more expensive than just getting a 3G iPad from AT&T, but it's not a bad deal, if you are planning on travelling with more than just your iPad. The Mifi 2200 hotspot allows you to connect multiple devices the Verizons 3G network usign Wi-Fi:

MiFi 2200 is small enough to fit in a pocket and allows customers to create a personal Wi-Fi cloud capable of sharing the high-speed Internet connectivity of the Verizon Wireless 3G Mobile Broadband network with up to five Wi-Fi-enabled devices. The MiFi 2200’s rechargeable battery provides up to four hours of active use and 40 hours of standby time on a single charge.

Verizon's 3G network is larger than AT&T's, so if you want an iPad that is useable in as many places as possible, and want to be able to connect multiple devices to the web anywhere you can use a Verizon phone, this bundle may be just what you're looking for.


Apple is pushing the iPad far and wide. Now it is available from the two largest cell phone providers, Target, Amazon, Wal-Mart, and Sam's Club. I'm beginning to wonder if the next iPhone announcement won't be it's availability on more than just AT&T and Verizon. It seems unlikely, but I have to wonder.

Wednesday, October 13, 2010

Copyright law is killing audio preservation

In 2000 the Library of Congress was tasked with preserving the audio portion of our cultural heritage by The National Recording Preservation Act of 2000 (P.L. 106-474). A study was initiated to determine the best way to preserve audio, identify problems and examine possible solutions. That study was released a few weeks ago, and you can find the 181 page pdf here. It identified several difficulties in preserving audio recordings, including the many different digital formats that have come and gone in the recent past, leaving some audio in formats that are difficult to read. In fact, it is actually harder to access some recent digital recordings than to access recordings that are around a hundred years old.

But the greatest threat to preserving our audio heritage isn't technological, it's legal. According to the study there is no legal way to adequately archive audio. Copyright law is written in such a way that it is next to impossible for libraries to archive - and grant access to - many, if not most, audio files. In fact, the study says that,

Privileges extended by copyright law to libraries and archives to copy sound recordings are restrictive and anachronistic in the face of current technologies, and create only the narrowest of circumstances in which making copies is fully permissible.

It makes me wonder: Is it actually legal for libraries to loan out books on tape or CD? They suffer from many of the same copyright issues as audio recordings. I find it refreshing that a government institution is beginning to realize that, while there is a legitimate purpose for copyright, when it gets too restrictive it becomes more harmful than helpful. One of the greatest results of any creative work is actually the effect it has on those who experience it - and on works they produce.

It's interesting, although not surprising when you think about it, the parallels between intellectual property rights and privacy rights. Both are important for society to function, and both are a balancing act. In the case of copyright, many of the changes in the past 50 or so years have been at the urging of large corporations such as Disney, Sony, and RCA to protect their financial interests. Now we're beginning to see that the tight control they sought is actually detrimental to society as a whole. I wonder how long it will take to show the same is true of personal freedom?

HTML 5: Spyware built in?

A couple of weeks ago I blogged about the evercookie created by Samy Kamkar. An article by Tanzina Vega in Sunday's New York Times talked about HTML 5, the evercookie, and the future of tracking on the internet.

HTML 5 is being lauded for getting rid of old code and making it easier to make widely viewable multimedia websites. But there is a downside. Not only does HTML 5 make viewing multimedia content easier, it also makes tracking users easier. Much easier. Samy Kamkars evercookie is one example of this.

Samy tells the NY Times that he didn't create the evercookie to track people, but as a means of showing the ease of tracking people on the internet with the latest technology. He did a very good job of that.

Advertisers, retailers and government agencies all love having more ability to track the online movements of people who visit their sites. And it is their right to ask for information. But it is also our right to refuse to give it. Just as I can fill prescriptions at CVS without having to get one of their bonus cards, I should be able to visit their online store without giving them any more information than is required for any transactions unless I want to. HTML 5, which I suppose could be said to be ushering in Web 3.0, makes that much harder. It is already difficult to take steps to protect your privacy. Between bad guys actively trying to compromise our data and the things we do ourselves, revealing too much on social networks or assuming privacy when there is none, privacy is definitely under siege. HTML 5 brings many advantages. With those advantages it also brings the potential for tremendous invasions of privacy if we allow it to be used that way.

Copyright, heritage, audio, preservation, Library of Congress

In Reuters story on Yahoo, Lynn Adler reports that the FBI seized John Lennons fingerprints just before they were auctioned off. There was some confusion on the part of the auction house about why the FBI would be concerned about the fingerprints of a man 30 years dead.

While I understand the confusion, the FBI's concern was that the fingerprints, which were part of John Lennon's citizenship application, might have been taken from his government files. If they were, they shouldn't have been available to be auctioned off.

The story didn't say if the FBI discovered the fingerprints were actually taken from government files, but it started me thinking. Does the government have the right to confiscate fingerprint records, or should it? Today I would say no, in most cases. But technology, law enforcement, and crime are rapidly changing. So will the answer still be no in 10 years? 20? 50? What will be possible in that time frame?

It is surprisingly easy to forge fingerprints. Superglue, a bottlecap, some woodglue and a little care and patience make it possible, and instructions are easy to find on the internet. I'm not sure a fake fingerprint made that way will last very long, but with a little more time and technology it could be possible to have fake fingerprints that last through hours of hard wear.

Looking at how easy it is to fake fingerprints, I can see the FBI not wanting a full set of celebrity fingerprints floating around in the wild. If it were possible to wear fake fingerprints without loosing significant tactile sensitivity I could see a black market built around the fingerprints of dead people. It would be relatively easy for a crooked funeral home to record fingerprints and sell them on the black market. Or perhaps a hospital or city morgue. In that case having fingerprint records of everyone who dies might be an important way to make sure law enforcement makes efficient use of resources. Knowing that the fingerprints you've discovered at a crime scene belong to a dead person would save time that would otherwise be spent looking for a dead person.

I don't actually expect to see that type of forgery becoming widespread in my lifetime. Unless you want to make it look like a particular person it makes a lot more sense to avoid leaving fingerprints. But what about other biometric data. Will it one day be possible to forge rhetina scans? What about genetic data?

Have you seen the movie, Gattaca? It's the story of a world in which most children are genetically tailored to have all the best traits of both parents. Children born the old fashioned way are discriminated against. The protagonist buck's the system by faking his genetic identity. But it's not easy, and the authorities are tipped off when they find an eyelash that does not match anyone who should be working where the hero is working. Gattaca is the story of genetic fingerprinting carried to the extreme as a means of identification and class discrimination.

There are a lot of good reasons to give the authorities more power to gather data and spy on citizens in aggregate. And there are a lot of reasons to limit that power. It is a constant tug of war for control between governmental authority, whether it's local, state, or federal, and citizens. And that tug of war must continue. Anarchy is not a good system of government, but neither is the "Big Brother of Orwell's "1984" or the Huxley's vision of "Brave New World." There is a lot of room between total individual freedom and total government control, and it's up to us to make sure we don't travel too far toward the extremes.

Friday, October 8, 2010

Biometric authentication: You can't misplace your thumb

On October 1st the Babbage blog at the Economist took a look at biometric security measures. I'm a long time opponent of using biometrics for general security. In certain applications they're ok, but the potential problems make them a poor choice for the general public. I agree with the blogs author when he says they are Dubious Security.

What is the problem with biometrics? Well, the upside is that you can't lose, misplace or forget your body. The bad news is, fingers, hands and even eyes can be removed, whether or not you agree to it. But the problems exist whether or not your body parts remain connected:

The downside is that biometric screening can also work without the user’s co-operation or even knowledge. Covert identification may be a boon when screening for terrorists or criminals, but it raises serious concerns for innocent individuals.

Covert identification is a nice way of saying they're secretly comparing scans of body parts - usually faces - with pictures or scans on file. This may seem like a good idea. In theory you can find wanted criminals this way, but I've never heard of them actually catching anyone that way. Meanwhile we don't know if they're keeping copies of the images they scan or if they are, why. But more troubling than that is the possibility of false positives. It can be a real pain to convince the authorities that you were born and raised in Dubuque when their fancy scanner has identified you as Osama bin Ladens second in commmand.

There is even a case of mistaken identity cited in the blog:

The eye-opener was the arrest of Brandon Mayfield, an American attorney practicing family law in Oregon, for the terrorist bombing of the Madrid subway in 2004 that killed 191 people. In the paranoia of the time, Mr Mayfield had become a suspect because he had married a woman of Egyptian descent and had converted to Islam. A court found the fingerprint retrieved from a bag of explosives left at the scene, which the Federal Bureau of Investigation (FBI) had “100% verified” as belonging to Mr Mayfield, to be only a partial match—and then not for the finger in question.

As it turned out, the fingerprint belonged to an Algerian national, as the Spanish authorities had insisted all along. The FBI subsequently issued an apology and paid Mr Mayfield $2m as a settlement for wrongful arrest.

Maybe I need to get misidentified by the FBI. I could use a cool $2m. I'm sure that Mr. Mayfield won't be the last to be wrongully identified by biometric data. It is the nature of biometric data that it cannot give a 100% certain identification. Thus there is always the possibility of false positives, and over time they are going to happen. But biometric data isn't alone in fallibility. ID's can be forged, people fall prey to social engineering. But biometric authentication has an air of infallibility that the others don't, and that is what makes it so dangerous as a means of authentication.

Facebook will take your phone number - and your friends

Do you upload your contacts from your cell phone to Facebook? Charles Arthur of the technology blog posts that you may be giving away more than you realize.

When you upload your contacts to Facebook from your iPhone (and probably your Android phone, too) all of them are uploaded, and Facebook uses the info to try to find friends to connect you with. But the big problem here is that it uploads all of your contacts. Is everyone whose number is in your cell phone ok with you putting their phone number online? On Facebook? And compared to everyone of Facebook to connect you with people?

It's really your business if you put your phone number or anything on Facebook. But a lot of people don't hand their phone number to just anyone. The Facebook iPhone app ignores that fact and takes your entire contact list from your phone for Facebook's use. It ignores the fact that some of your contacts might not want to have their phone number on Facebook, or that you might not want all of your contacts there. Again, Facebook assumes it knows better than you do what you should do with your information. That is rude and presumptious.

British ISP gets small win against mass IP lawsuits

BBC technology reporter Jonathan Fildes tells us that British ISP BT sought - and received - a temporary halt on new and existing requests for the identities of it's customers by law firms representing the record label Ministry of Sound. Apparently the decision to fight was made in part because of a data breach at the British law firm ACS:Law in which thousands of customers from various IP's had their personal information compromised.

It's great to see a court that listens to reason. BT did not ask for a permanent injunction, they asked for a temporary stay until a test case could be heard. That is one of the first sensible things I've heard said by someone in a position to try to do something about the rogue recording and video industries. BT also said the second sensible thing:

"We want to ensure broadband subscribers are adequately protected so that rights holders can pursue their claims for copyright infringement without causing unnecessary worry to innocent people.

We have not simply consented to these orders in the past, we have asked for stricter terms as public concern has risen. The data leak with ACS:Law prompted us to take further action today."


There is no argument that the sharing certain music is illegal. Or copying and sharing some DVD's. But is it bad for business? I've seen evidence that indicates filesharing can be good for business, but the claims I've seen that it hurts business often seem to assume that there is no other possible cause for decreased sales.

The record companies have their (failing) old business model, and they would rather defend it than learn how the new paradigm that embraces the internet works. But there are people embracing the new paradigm, and doing well in it. Here are some places to download free music legally. Some of it's really good. You may not see many, or any, names you know, but you will find a whole new world of music. Check 'em out:

Jamendo - free and legal music downloads. Most if not all of the artists even permit sampling and modifying their music.

Magnatune - We are not evil. Magnatune has very liberal licensing, with much of it's music being free for personal and student use. If you want to include it in a commercial project there is a one time fee - which the artist gets 50% of - and no royalties. Even if your project goes on to gross $10,000,000,000 you never have to pay anything beyond the initial licensing fee.

Do you know any good, legal sources of free music or videos? Put 'em in the comments and share with the rest of us. But please don't include torrent sites and trackers unless they police their content to keep out illegal files. 

Even the privacy breaches are bigger in Texas

Neil Versel of reports that there have been several severe privacy violations in Texas recently. It's not bad enough that Texas apparently is a hotbed for privacy violations, but one of the major perpetrators is the Texas Department of State Health Services. Not an agency to go about (alleged) wrongdoing in a small way, the TDSHS is selling and giving away information on 27,000,000+ hospital stays since 1999. Free information is anonmized, but according to Versel those willing to pay get all kinds of interesting information.:

DSHS makes public through its website files on more than 200 kinds of information, including individuals' insurance coverage, whether the stay involved placement of a heart stent, sterilization, abortion performed due to rape and any tests or medications delivered while in the hospital.

I suddenly have a morbid curiosity to see what information is available that the doctors didn't tell us from hospital stays over the past decade.

The second big violation was CVS Caremark pharmacies. CVS Caremark has allegedly been over-reaching their authority as required by the FTC when it approved the CVS / Caremark merger and capturing patient data for marketing and other purposes in violation of HIPAA laws. They are also accused of using their position and information to squeeze smaller pharmacies out.

Our last home grown privacy violation is from former state Representative Bill Zedler (R-Arlington). Mr. Zedler used his position to get the medical board records on five doctors. At least two of those doctors contributed to his campaign - the story doesn't say if it was before or after he accessed their records.

People wonder why privacy is important, and why it's important that our personal information be kept under our control. These are the reasons why. People, government agencies, and private corporations are profiting by gathering and selling our data. It's not unrealistic to say that in some cases they know more about us than we know about ourselves. That companies can gather, categorize and analyze personal information without our knowledge or consent and sell it to others not just for a profit - but without compensation to us, is wrong. And that's why privacy and privacy protections are important.

Is social media safe for work?

As we become ever more involved with Facebook, Twitter and the like it's becoming more common for companies to allow employees to access them online. But is that a wise decision? Both Facebook and Twitter have been hit by malware recently, and it is only expected to happen more often. Facebook is built on trust - a commodity that has to be earned in less open environments.

While social networks rely on people trusting each other, in a business environment a certain amount of paranoia can be a good thing. Clicking the wrong link or friending the wrong person can place a companies data and resources - even the most important resource, the customers, in jeopardy. Spam and phishing email rely on people's trusting nature. Facebook encourages it.

Companies often block websites that are known malware hosts. Many block, or used to block, Facebook, Twitter and other social networks. As they have become more popular and marketing departments see promotional opportunities, the demand for access at work has risen, and many companies have relaxed their policies. There are good and valid reasons for businesses to market on Facebook and other social networks, but is it necessary for them to allow all employees access to them?

Companies routinely block sites that are known to be dangerouse or objectionable. Most also have provisions for employees who need to access those sites. The same could be done with social networks. It would make sense to only allow access to social media to those who need it as part of their job. It limits the exposure and can make it easier to track down the source of an infection.

As more companies allow unlimited access to social networks it's only a matter of time before there is a major breach from access of social networks. The only question is when.

Friday, October 1, 2010

Accept credit cards on your mobile device.

In his NYT column yesterday, David Pogue reviewed the offering of a company called Square. Their product is a sweet software/hardware combo that allows anyone to accept credit card payments on their iPod, iPhone, Ipad, or Android phone. And do it at a reasonable cost.

I have to admit that I haven't paid any attention to processing credit cards on your cell phone. This looks like a cool idea, but apparently it's not the only option out there - although it may be the most palatable for some. In the comments to the article the reaction seems about even between the "This is great!" and the "This is a waste" crowds. There are a couple of people concerned about fraud, but I don't think the risks any worse than anything we already face on a daily basis. No worse than giving your credit card to the waitress at your favorite restaurant, anyway - and probably not as bad.

Square makes it possible to accept credit cards at your garage sale, or your booth at the local trade days, flea market, or for services you provide. It makes it possible to accept credit cards even if you only need to once or twice a year. And it makes it possible without having to have a merchant account or a paypal account, which is a big plus to some. Will it take off? I think it has a good chance, but only time will tell.