Facebook Twist: Anti-social networking

The Times Online reports that Colin Gunn, a notorious British godfather, has had free access to the internet, and has been using it to intimidate and terrorize via Facebook. He claims to have been given permission for it by prison officials. The suspicion is that they gave him access fearing refusal would be called a human rights violation. On the face of it, this seems silly, but it was only last June that the French version of the Supreme Court declared Internet access to be a fundamental human right. I'm sure they never intended for convicted felons to be able to access the internet from prison and continue to run their gangs. That is exactly what Gunn did, using his Facebook account to send intimidating messges, such as:

“It’s good to have an outlet to let you know how I am, some of you will be in for a good slagging, some have let me down badly, and will be named and shamed, f****** rats.”

Such an endearing character.

This actually isn't a post against Facebook. Facebook had no control over this, and probably shouldn't. The problem here is the idea that internet use is a "human right." If it is any kind of right at all, it is a citizens right, and like many other citizens rights, can be lost once you are convicted of a crime. Matt Asay makes some good points on the subject in his article, "Is Internet access a 'fundamental right'?" from May of last year. As Matt points out, there are rights and responsibilities. It's important not to confuse the two.

Lot-o-links: Articles on Facebook, Google, Supreme Court and more

From Businessweek:  New EU Privacy Laws Could Hit Facebook - Mark Zuckerbergs mouth paints a target on Facebook

Exchangemag.com: Google Social Search Hits Privacy Snag on Facebook - Maybe Facebooks privacy settings are better than we thought.

Mediapost.com: Google Scores Partial Victory In Street View Lawsuit - Google streetview photographing view of house ok. Entering private drive to do it, not so much.

U.S. News: Should Supreme Court Uphold the Quon Case on Worker Privacy? Should workers expect email and other electronic communication on company equipment be private? Take the poll.

PCWorld.com: EFF:Browsers Can Leave a Unique Trail on the Web - Find out how much information your browser gives without even being asked. With suggestions on how to obscure your trail.

RDMag.com: How Can Policymakers Promote Innovation and Strengthen Privacy? - Policy always lags behind technology, trick is protecting privacy without stifling innovation.

Hope you find the reading interesting.

Bev Stayart = Levitra?

Have you ever heard of Bev Stayart? To be honest, I hadn't, either. But looking at privacy news this evening I saw her name in a headline, "Bev Stayart Sues Yahoo Again For Violating Her Privacy Rights" and had to check it out. The story was on Techdirt, and tells the sad tale of Ms. Stayart, who sued Yahoo because she did a search for her name and didn't like what came up. That case was understandably thrown out of court, er, I mean dismissed. So here we are a year later, and Yahoo finds itself the target of Bev's lawyers once again.

Why?

It seems that now if you go to Yahoo and type in "bev stayart" the search "bev stayart lavitra" is suggested. If you choose to leave off "levitra" then on the results page it asks if you want to search for "Bev Stayart Levitra."

I'll refrain from making any of the bad jokes I'm thinking of at the moment.

Well, if you actually perform the search for "bev stayart levitra" you find that the association is made because most of top results are from her year old lawsuit with Yahoo. Well, they were, now they are from all the stories and blogs about this lawsuit AND her year old lawsuit.

Congratulations, Ms. Stayart, you are well on your way to permanently tying your name to both Yahoo and Levitra.

[edited title to be more informative by Bert]

TOR cracked to catch child pornographers

Tuesday I wrote about TOR, The Onion Router. Wednesday in ZDNets "Zero Day" blog I read about a TOR server patch written for the purpose of catching child pornographers. Not just to the geographic location they are operating from, but to the computer they are working at. A worthy endeavor. But since the author, HD Moore of Metasploit fame, is releasing the source code, modified versions of the patch can be created to track anyone using TOR. This means TOR as a standalone item has become useless for protecting people who need protecting, i.e. human rights activists in oppressive countries, journalists and police under cover, and anyone with a legitimate need to keep their location hidden.

Moore (arguably) had good reason to do this. In Germany, at least, TOR is being heavily used, or is suspected of being heavily used, to traffic in child pornography, and the German authorities have been cracking down on TOR servers. But is the possible benefit in one admittedly important area worth the cost in several other important areas?

But there is an alternative the the TOR package by itself. It is also cross platform, and free. It will run on Intel Macs, Windows, and Linux. It is called JanusVM and runs in a virtual machine. It plugs the holes used by Moore's patch, and keeps your location obscured. From the Janus website:

JanusVM is powered by VMware, built on the Linux 2.6.14 kernel, and brings together openVPN, Squid, Privoxy, and Tor, to give you a transparent layer of security and privacy that is compatible with all your TCP based applications. DNS request are also passed through Tor so even your ISP doesn't know what web site you are looking at.

JanusVM is free, cross platform, and can take a little more setup than the basic TOR package, depending on how your network is setup. But if you need anonymity online, it's the best thing going now.

A little more Facebook, good and bad

Facebook, like most tools, can be good or bad. When it's good, it can be really good, like gathering aide for Haiti, or as reported by the Economic Times, a father and daughter who haven't seen each other in almost half a century find each other through Facebook.

But it can be very bad, too. According to the Crime Scene KC blog, Micheal Cowley plead guilty to posing as a 17 year old girl in order to get naked pictures  from teenage boys. This type of activity is unavoidable as long as Facebook doesn't do more ... More? Facebook doesn't do anything to verify who you are when you sign up. The surprise here isn't that someone posed as a teenager on Facebook to get naked pictures of other teens, it's that we don't hear of it more often. I would say I'm glad we don't, but I have to wonder how many just aren't getting caught. And it concerns me because I have teenagers and kids who are going to be teenagers in a few years. Do you know all of your kids Facebook friends?

TOR: Peeling the onion

One way you can enhance your privacy protection on the internet is to use TOR (The Onion Router). TOR is the second generation implementation of onion routing. Onion routing is done by encrypting the data in several layers, like an onion. You run a TOR client on your computer and it encrypts your queries then sends your internet traffic to the nearest TOR proxy, which then routes it through at least 2 more TOR proxies. To the computer you are sending data to, whether it is a web site, ftp server, or whatever, it looks like your data is coming from the TOR server your data exited the network from.

Just as with any security system, there are things you need to be aware of, and the TOR download page lists some. One other gotcha that is mentioned somewhere on the website, but I can't find it at the moment, is the bandwidth and processing overhead required. Your web queries are being encrypted on the fly by your computer, and every query you send has have one level of encryption removed by each TOR server it goes through. That takes a little time, which means your queries take a little longer to reach the server you're sending them to. I'm using an older 1.33 GHz Powerbook, and TOR is useable, but the processor hit is noticeable. The bigger problem for me is the loss of javascript and Flash. You don't know how many sites you go to use those until you try to do without them.

But despite the imperfections, if your main goal is to obsure the origin of your web traffic, TOR is a useful tool. If you plan to just use it for browsing the web the default install bundles work great with Firefox. There are bundles for Windows, Mac and Linux, and they are preconfigured with additional software to make using TOR as easy as possible, even for people who aren't that technically inclined.

You can download a TOR bundle that pretty much sets you up for browsing with Firefox here (you have to install Firefox).

Check these pages on Wikipedia for more information on TOR and Onion Routing.

[Updated at 7:25 am for clarity by Bert]

[Updated at 11:45 am for clarity and spelling (Linux doesn't have an 's') by Bert]

Cost of music piracy: $2,250 per song.

Are you one of the people still sharing your music over peer to peer networks like Limewire? In the 'Threat Level' blog for Jan 22, David Kravits tell us about Jammi Thomas-Riset, who was fined 1.92 million for sharing 24 songs. That's $80,000 a song! Jammi's lawyer asked that the price be reduced. The judge agreed, and reduced it to the minimum allowed, $750 per song x 3. The judge called the original amount "shocking."

The RIAA is a fear-mongering bully, and they need to be forcd to disband and allow artists to do their thing. The premise that internet sharing reduces CD sales is hogwash, and 70's folk singer Janis Ian makes a good case for the opposite here, and Eric Flint of the Baen Free Library makes a similar case here and amplifies on it here. Ian's article is also published in "Prime Palaver" on the Baen Free Library website. Both people can demonstrate that offering things free (including having your music pirated) leads to more - not less - sales.

It's inevitable the entrenched businesses with "strategies that work" will react violently to any new model that makes their way of doing business obsolete. But it's getting old. The iTunes music store has demonstrated quite well that legal online sales are not only feasable, but can be highly lucrative. But they still want to alienate their users by suing them. I'll never understand the corporate mind.

What's coming up

Over the next couple of weeks we'll look at a couple of the more involved things you can do to protect your privacy as you go about your online life. For starters we'll look at TOR (The Onion Router) and GPG (Gnu Privacy Guard), the open source version of PGP (Pretty Good Privacy). A little later we'll look into other secure email and web surfing options. We'll also be looking at little things like the FBI's illegal tapping of phones without any kind of warrant or proof of need.

And the loser is...

Remember the RockYou breach I told you about back in December? There may have been a beneficial result. Since the hacker published all 32,000,000 passwords he stole, it was possible for the people at Imperva to analyze them and find out what the most common passwords are. Of course, being the most common, they are the worst possible passwords to use. The free report is available here.

The report is worth reading, if only for the top 20 list. Here's a sample:

#1 123456

I think that is the first thing tried after 'password' when trying to guess passwords

#20 QWERTY

And this is probably about #10 on the list of passwords to try when guessing.

Remember to use strong passwords. Imperva estimates that it would be possible for an attacker to crack 1000 RockYou accounts every 17 minutes. That would be all 32,000,000 accounts cracked in less than 2 weeks.  Ok, not all accounts, because there were some strong passwords among them.

Strong passwords consist of at least 8 characters and are made of upper and lower case letters, numbers and special characters. Make all your passwords strong passwords.

PlainsCapital vs Hillary Machinery

tx_plow_boy asked what I though about "my bank" after the revelations by Hillary Machinery. Hillary is alleging that negligence on the part of PlainsCapital led to the theft of over $800,000 from Hillary Machinery's account. $600,000 was recovered, but Hillary Machinery wants PlainsCapital to admit that they are responsible and pay up.

I've read Walt Nett's article,  "Company, bank blame each other," in the Avalanche-Journal. I've read what Hillary Machinery says in the news section on their website, and I've read the two stories about similar breaches they link to directly from their site. I'm going to take a closer look at the info we have on the Hillary Machinery breach and see what I can come up with. Most of the information I'm using will be straight from their website. As we look at this the circumstances of this theft, keep in mind that I am not a lawyer, and I have only the information I've read (and linked to for you) to go by.

Looking at the info provided by Hillary Machinery on their website, here is what we have. To shorten this a little, I'll take it point by point.

1. In November 2009 PlainsCapital became the target of cybercriminals. They used vulnerabilities in PlainsCapitals internet banking system and initiated fraudulent wire and automated clearinghouse transfers.

Since I can find no mention of similar data breaches at PlainsCapital, I would probably classify the bank as a victim. It appears that the target was actually Hillary Machinery. For the same reason, I would say that the bank was not where the vulnerabilities were exploited. The normal scenario when an institution gets breached is to grab as much information as possible, or in the case of banks, grab money in small amounts from as many accounts as possible. Grabbing a large amount of money from one account points to the exploited vulnerability being at Hillary Machinery.

2. Even though the transactions were not authorized by a representative of Hillary Machinery Inc and inconsistent with Hillary's the bank still allowed them to occur.

The "not authorized by a representative of Hillary Machinery" is a bit of a red herring. If the perp stole the needed information from Hillary Machinery, the bank woudln't know that it wasn't someone from Hillary until the transaction was set in motion, and even then maybe not until two or three had been made. At that point the bank should have contacted the company to make sure the transactions were legit.

3. To make matters worse, PlainsCapital Bank has yet to take responsibility for the stolen funds claiming that their Internet banking systems are "reasonably secure."

Face it. The bank can't admit any culpability. The second they admit any kind of fault they will be sued out of business. If this case ends the way these things usually do it will be settled out of court with PlainsCapital paying some undisclosed amount without admitting any fault.

I don't think the lions share of blame goes to PlainsCapital on this one. It looks like Hillary was breached, whether by a virus, a trojan, or social engineering. Any share of the blame that goes to PlainsCapital goes after Hillary recognizes their own part in this very expensive fiasco.

I hope that answers your question, tx_plow_boy.

Microsoft, Champion of Privacy?

Microsoft has a pattern in the way it does things. When it wants something done a certain way, it does it, and damn anyone who tries to go another direction. Now Microsoft has decided that it's time to let go of information instead of hording it. In a column at Information Week, Microsoft Boosts Bing Search Privacy, Thomas Claburn tells us that Microsoft is going to remove the IP data from searches after six months rather than the eighteen that Google does. But Microsoft falls short of Yahoos commitment to delete most search info after 3.

And there lies the rub. Microsoft is used to being the big dog on the block when it decides on a move. According the seoconsultants.com Bing is third in the search engine race. Google is first with over 70% of the search engine traffic. Yahoo is a very distant 2nd with a little under 15%, and Bing is relatively close behind Yahoo at a little under 10%. In other endeavors Microsoft can bring it's massive OS dominance to bear. In search that dominance is less helpful. If they can't give the results that Google or even Yahoo can, they won't dominate.

Search isn't the only area Microsoft is coming forth as a privacy champion. Cloud computing, which is an area Microsoft might be able to influence, is another area the Redmond giant is preparing to address. In her PCMag.com article, Microsoft Urges Cloud-Computing Privacy Bill, Chloe Albanesius reports that Microsoft's lead council, Brad Smith, lobbied (she said urged - sounds nicer) Congress for a modern privacy bill and unveiled a report that shows the vast majority of people are worried about their data in the cloud. In a keynote at the Brookings Institute in Washington D.C. he said:

"As we move to embrace the cloud, we should build on that success and preserve the personalization of technology by making sure privacy rights are preserved, data security is strengthened and an international understanding is developed about the governance of data when it crosses national borders."

He went on to say that the government needs to modify and pass laws to protect data and privacy as we move to cloud computing.

This all sounds very good. Microsoft may have realized that protecting data in the cloud is in it's own best interest. Crooks might go after my data, but they're more likely to go after Microsofts if we are both equally insecure. Only time will tell if Microsoft legitimately wants better privacy controls, or if they're preparing to exploit loopholes.

Facebook: More bad, a little good

The Bad

As if it weren't already dangerous enough to be on Facebook, Ellinor Mills writes in her column on CNET that researchers have found Facebook is vulnerable to click-jacking. In essence, click-jacking is putting an invisible layer over a legitimate web page. When a link on the legitimate page is clicked, the invisible layer hijacks the click and sends the person somewhere they didn't want to go. The same researchers also noted that Facebook allows third party apps to access user data without warning them. I've talked about this before - most recently in response to a comment yesterday. Facebook had a response to this problem:

"The only information apps can access without first showing the 'Allow' screen is publicly available information (the limited set of info that includes name, profile picture, gender, networks, friend list, and pages) and information set to be visible to everyone on the Internet," Facebook spokesman Simon Axten said.

The "limited set of info" seems overly broad. Does mafia war really need to know the networks I belong to and every friend I have on Facebook? And the default for all information on Facebook is now "set to be visible to everyone on the internet," so Facebook tells the apps I use everything I have on Facebook, unless I've changed the defaults. And they don't tell me they're doing it. It would be interesting to know how many people tighten their privacy on their Facebook accounts. I bet it's a pretty low percentage.

The Columbus Dispatch carried an article by Bridget Carey highlighting the many ways you risk identity theft by using Facebook. They range from viruses to fake friend requests. The problem is only made worse by the tendency to be more trusting on sites like Facebook.

The Good

The Tech Chronicles blog notes that Facebook is warning users about Haiti relief hoaxes. If you want to help Haiti through Facebook, go to the Facebook Global Disaster Relief Page.

A cnn.com story informs us that caller id spoofing company spoofem.com is going to be giving 2 super bowl tickets away to people who become fans of their Facebook page.

Well, that's the good and the bad today.

More Facebook woes...

I've been saying Facebook is dangerous for years - to be fair, I'm not the only one - but it's amusing to see three stories about three different risks of using Facebook in one day. Well, they weren't all written the same day, but I saw them all on the same day.

PC World tells us: Job Seekers, Watch Your Walls -- Employers Check Facebook Among the other stats provided in the article: 53% of employers check social networking sites like Facebook when vetting potential employees and more plan to start. A lot of employers have let people go because of what's on their Facebook page, too.

From IndyPosted: AT&T Error Allowed Unauthorized Facebook Access. Apparently there is a problem with how cell phones connect to the internet - there is no indication of whether it's only on AT&T's network. The problem caused a family to be sent someone elses Facebook login info. [Update: According to CNET's Insecurity Complex column AT&T has fixed the problem.]

The Security Watch blog at PCMag.com asks the question, Is Facebook privacy a sham? And with good reason. Facebook supplies a public link for you to give to people who are not members. It allows people who are not members of Facebook to look at pictures that you have labeled "Me Only". Does no one at Facebook see the problem in this?

I don't hate Facebook. Social networks can be a great tool. I even have an account. But I am concerned that even the people who try to keep most of their info on Facebook private are doomed to expose far more than they intend because Facebook doesn't really allow users to keep anything private.

Lincoln National: Weak security, strong customer care

Lincoln National discovered last August that there were several shared usernames and passwords that had been created in 2002 for the purpose of making it easier for staff to perform administrative duties. I can't say from intimate knowledge of Lincoln Nationals employees, but I imagine the thinking went something like this:

It will save a lot of time if we don't have to log out every time we leave a computer so other people log in if they need to...If we just make a few logins and share the information it'll save tons of time."

Of course, this goes against PCI and Sarbanes Oxley compliance because it ruins accountability. If more than one person uses a login it becomes almost impossible to prove who did what with it. Most companies I know check for shared logins (also known as generic logins) on at least a quarterly basis and get audited annually, so I'm not sure how this little snafu went on so long.

The company says that there is no evidence of improper use of the shared logins, but since there is no way to prove that no data was compromised Lincoln National is notifying state agencies and customers voluntarily and offering customers free credit monitoring.

It's nice to see a company that steps up to the plate and does the right thing when they screw up. I have a feeling there may still be an investigation and maybe some fines, but it won't hurt Lincoln National's case that they looked after their customers when a problem was discovered.

Facebook gives McAfee away

Facebook seems to have realized it has problem. The Tech Chronicles blog tells the tale. To help curb runaway viruses and software Facebook has forged an alliance with McAfee to provide McAfee software free to Facebook users for 6 months to protect their computers. You have to go to the McAfee fan page, join up, and download the software.

If you already have security software and aren't having any problems I'd say don't worry about it. But be glad Facebook is showing signs of beginning ot understand that it is responsible for the well-being of it's users. I'm not real hopeful, but at least the appearances of concern are there.

How's your Online Rep?

I was going through my alerts today, and a Smart Planet blog caught my eye. Titled, "How to build and manage an online reputation," it's a good primer, and has some good links at the end of the article. We'll go over some of what they say, and some of what some other people say, but I recommend checking out all of the sites linked today. They all have a lot more to say than I can repeat here.

According to the article at Smart Planet, the first thing you need to do is find out what's out there about you. Just a few years ago the only people who really had to worry about their online rep were people who'd reached a certain status level in certain technical fields. Today almost any job you go to will check out your Facebook page and/or hit the search engines.

Have you googled your own name lately?

Some privacy advocates say googling yourself is a bad idea. Frankly, you can't afford not to google yourself - and Yahoo and Bing yourself (that last one just doesn't sound right, does it?).  What you see is what potential employers are going to see, and each search engine give slightly different results.

Another blog entry at onlinereputationedge.com brings up a good, but seldom talked about point - what you say about other people online usually says a whole lot more about you than about the person you're talking about. So be careful what you say. And remember, once you put something online, it will never be gone, so the bad impression you create today could come back to haunt you thirty years from now.

Onlinerepmanagement.com uses Kanye West to teach us that even the biggest blunders - or group of blunders - can be mitigated by an active online presence. Because he is very active online you won't see much negative about him when you search for his name, even after 2009's gaffs. It's amazing what an active online presence can take care of.

That's it for now. Stay safe and work on that online rep.

Scans sans naughty-bits - maybe

An article on the Syndey Morning Herald web site tell us that we may have been lied to. We were told that the full body scanners would not be able to save or transmit images. But it turns out that not only will persons with high level passwords will be able to enter a mode that allows export of pictures, they will also be able to remove the filtering that blurs the naughty bits. But I'm more bothered by the fact that we were lied to than anything else. We should have been told that the ability to export pictures exists, and offered solutions. Better yet, we should have been told that before ordering millions of dollars of scanners their ability to detect bombs would be fully tested. But once again we go in half cocked without really knowing what we are doing or how we are going to do it. To be honest, I never really believed that the ability to save the pictures or remove the blurring would be completely removed. The usefulness of having the images in some instances is undeniable. The idea of deleting them beyond all hope of recovery seemed almost criminally negligent.

Of course, spending millions of dollars on a technology that may not even address the problem it is supposed to solve is equally negligent. But I suppose I shouldn't be too surprised. We did it after 9/11 and we'll probably do it after the next successfull attack.

Contactless card breach

Finextra reports a contactless card breach in Queensland, Australia. Somehow cash from one card was transferred to another card held by a person with the same name as the holder of the first card. It's not clear how the transfer happened, although it is being blamed on staff failing to follow longstanding security procedures.

It may not seem like a big deal, but its important to know how the switch happened. It's unlikely that the switch was caused by the cards. I've never liked RFID enhanced cards, be they ID's or credit cards. But this time I'm fairly certain the card is not the culprit. It is most likely either human error - which seems to be the official line - or a computer error. I'm sure the hope is that human error really is to blame. Then the solution is training or replacement. If it's computer error, it might not be fixable until the next system upgrade - and that could be bad news. System upgrades might be years down the road. Meanwhile, your metaphorical tail is left swingin in the breeze.

As we see more of these stories, will we come to realize that we would have been wiser to slow down and make sure things work the way we think they will before becoming very dependent on them for our wellbeing?

Eternal Ignorance

There was an interesting thread on one of the lists I subscribe to a few days ago. I'm going to share some of it with you. I'll be using screenshots of the emails so you can see the actual conversations, and see how some people will not learn. I hope you find it interesting, or perhaps even amusing, as only the pigheadedness of people's desire to get something for nothing (or at least at a heavy discount) can be.

The original poster (OP) was looking for cheap software:

[caption id="attachment_640" align="alignnone" width="419" caption="Seeking deals in spam"][/caption]

Everything about this deal screams "SCAM". Others agreed.

[caption id="attachment_643" align="alignnone" width="466" caption="Pointing out his error"][/caption]

OP disagreed with everyone (there were many more, "Don't Do it!" posts.

[caption id="attachment_656" align="alignnone" width="432" caption="Does he really believe this?"][/caption]

Did anyone actually read the first graphic? Do you remember him saying his VISA card was compromised in December, and he has no idea why.

I finally tried to explain why he was wrong. It didn't do any good.

[caption id="attachment_661" align="alignnone" width="600" caption="I weigh in"][/caption]

The moderator killed the thread, but not before it was obvious that, no matter the risk, this guy was going to try to buy from spammers. Of course, part of the problem was his definition of spam. To him, any mention of a product in an electronic medium is spam. I know this because he used a thread about the Magic Jack internet phone service as an example of legitimate spam.

The rest of his problem was he didn't want to be educated. He asked for advice, then completely disregarded it. I'm sure one day he will be wondering how somebody found out enough about him to rack up hundreds of thousands of dollars worth of debt. Or maybe only tens of thousands. Either way, he could have gone a long way toward avoiding it by just not using spam to shop with.

Oh, and that link to check websites is: http://www.siteadvisor.com/
Enter the URL of the site you want to check in the box on the right:

[caption id="attachment_664" align="alignnone" width="600" caption="One useful tool"][/caption]

Of course, if you are using current versions of most browsers, many have built in sitecheckers. But it's hard to overtest these things.

Hope this was helpful. Keep your eyes open and keep safe

Eternal Vigilance!

[caption id="attachment_605" align="alignnone" width="575" caption="One way to lose your identity"][/caption]

Once, years ago I almost fell for exactly this type of scam. I caught myself in time, but it was a near thing. Remember that if your credit card, bank, or anyone else who has enough information to pretend to be you ever calls asking for you to prove who you are, hang up and get the number off the back of your credit card or out of the phone book and call them. If they still say your information has been stolen, you can take the appropriate steps. But never give personally identifying information in direct response to a phone call, email, or mail.

Cartoon used with permission.

Airport romance never pays

Of course, it would help if a little common sense went with it. Friends describe Haisong Jiang as a hopeless romantic. They say he just wanted to say goodbye to his girlfriend one more time. They also say that he didn't realize what a flap he would cause. He's a doctoral student in molecular biology, which would indicate a certain amount of intelligence. But sometimes people do fit stereotypes. I knew a chemical engineering Ph.D. candidate who was incredibly book smart, but was the poster child for the uncommonness of common sense. So I'll give Haisong Jiang the benefit of the doubt on not realizing how much trouble he would cause by crossing that rope to go into the secure area with his girlfriend in Newark Airport January 3rd.

But I watched the video of the his transgression (well, I watched the 6 minute unedited video), and it is obvious that he did know what he was doing was wrong. He waited around for several minutes, even after the guard asked him to move on. And I would think his girlfriend should be held responsible as well. She waited until the security guard was gone and came back for her boyfriend, then walked with him to the 'secure area.'

The guard is also culpable in this fiasco. He should not have left his post unattended. If he had some serious business he needed to attend to he should have called for relief.

How much trouble should they be in? I'm not sure. Unless he's been an exemplary employee for a long time, I would strongly recommend firing the guard. There is too much relying on his vigilance to let a slip like that slide. The lovebirds? I'm a little torn. I think they need more severe penalties than the crime he is being charged with carries (she isn't being held responsible, AFAIK), but I don't really want to ruin to lives over what might have gone entirely unnoticed a few short weeks ago.

That's the kicker, of course. And perhaps the damning bit that's missing. These two have been carrying on a long distance relationship for a year or so. How many times have they played exactly this scenario when she visits? Or when he visits? As I said earlier, he was obviously waiting, and it appears that she was, too. It looked like they had either done this many times, or planned it very carefully.

His reaction when he found out the police were at his house is also interesting. Almost like he was expecting it eventually. According to a story in the NY Daily News, he said, "You got me." It doesn't sound like there was any surprise at all. That just leaves the question, why is he the only one being charged?

Why does the girl go free when she went to get him - knowing he wasn't supposed to cross the secure barrier? The guard is facing disciplinary action, the boyfriend is being charged, however lightly, and the girlfriend walks. Doesn't sound right to me.

Full body scans: Trading privacy for illusion of security?

Hebba Aref has been a privacy advocate for some time. And she experienced anti-muslim prejudice first-hand when she was told that she couldn't be in a picture with Candidate Obama because of her head scarf. That was an overzealous volunteer, and Mr. Obama called her personally to apologize when he found out. I can imagine that was a defining moment in her life.

In the past she has been against full body scanners and profiling in airports. Then she sat six seats in front of a young Nigerian man on Christmas day, 2009, and she remembers the sound of the detonator, the flash, and the terrorist being led down the aisle with no clothes on below the waste.

Her experience that day changed her view of how airport security should be handled. In an article in the Detroit Free Press she says: "I'm always standing up for rights and privacy concerns, but now I hope that body scans will be mandatory," Aref, 27, said Wednesday. "Balanced against national security, it's worth the invasion of privacy. And I acknowledge the fact that there has to be attention paid to Muslims."

Coming close to death is a life changing experience, but often after some time has passed and the fear moves further away people revert to their previous opinions and attitudes. Only time will tell us if Miss Aref will continue to favor body scanners and profiling. But her story, moving as it may be, is just another emotional appeal, and emotional appeals are poor things to build policy on. Granted emotional appeals are the stuff that shapes public opinion, but they're still bad for building policy.

One of the more interesting quotes on full body scanning and privacy  came from an article in the Washington Post on January 4, 2009. It was about the images generated. It said,

"They're virtual. Passengers walk through the machines fully clothed; the resulting image appears on a monitor in a separate room and conceals passengers' faces and sensitive areas."

Correct me if I'm wrong, but I believe "sensitive areas" refers to the breasts and groin on women and the groin on men. If the groin area is concealed, how are we protected from an underwear bomb?

Here are a few other quotes from the same article:

"It covers up the dirty bits," said James Carafano, a homeland security expert at the conservative Heritage Foundation.

"I don't think it's any different than if you go to the beach and put on a bikini," said Brandon Macsata, who started the Association for Airline Passenger Rights.

"It covers up the dirty bits," and it's the same as a bikini ... that sounds to me like the primary area of concealment - the crotch, will be concealed by software in the scanner. That makes it kind of hard for the human viewing the image to see if anythings been added to the area.

I've read that the full body scanners are not designed to detect the types of explosives used in most terrorist attacks. According to an article at newsdaily.com, Dutch Interior Minister Guusje ter Horst said that there is no 100% gaurantee that the new detectors would have caught the underwear bomber.

Adding fuel to the fire - or not, since there's been almost no mention of it anywhere else, the Independent ran an article, Are planned airport scanners just a scam? on January 3rd reporting that British research into full body scanners showed that they would not detect an explosive of the type used by the crotchbomber. According the to article,

"But Ben Wallace, the Conservative MP, who was formerly involved in a project by a leading British defence research firm to develop the scanners for airport use, said trials had shown that such low-density materials went undetected.
Tests by scientists in the team at Qinetiq, which Mr Wallace advised before he became an MP in 2005, showed the millimetre-wave scanners picked up shrapnel and heavy wax and metal, but plastic, chemicals and liquids were missed. "

Other interesting claims are made. Supposedly American experts have stated that traditional airport pat downs wouldn't have stopped Mr. Abdulmutallab from getting on the plane. There's a really simple reason for it. In the U.S. the security people aren't allowed to frisk sensitive areas. Not that frisking those areas will stop everyone. I was with a friend going into "The Who's Last" concert in Dallas in 1983...I think that was the concert...anyway, they were frisking everyone. My friend had a recorder with the mike in his pants. The officer hit the mike,

"What's that!"
"My d**k."

The officer got a surprised look on his face and waved him through. I still wonder if anyone managed to get something more dangerous in that way?

For me the scanner issue isn't really about privacy, although that is important. It's really about using unproven technology without making sure the measures we already have in place are working. To be honest they usually do work, but we need a lot of improvement. And before we spend $165 million on scanners we should spend a few hundred thousand making sure they do what is claimed.

Does anyone remember the bomb sniffing machines they spent millions on after 911? The machines that are mostly decommissioned because they didn't work as claimed, and spent more time broken than working? We don't want that to happen again - but it's probably already to late, because they've already ordered them. And they may not even detect the explosive they're being bought to protect us from.

The more things change the more they stay the same.

[Edited at 12:21 to improve headline by Bert]

Well, Duh...

I hate that word. It's rude, disrespectful, and shows how utterly low your opinion of someones intelligence really is. But sometimes it's appropriate. For instance, I was looking through my alerts, and Credit.com just leapt out with a "DUH!" headline, "Data breach statistics show sign of a widespread problem."

Don't get me wrong, the headline is accurate, but to anyone who's been watching these things, and I suspect many who haven't, that's kind of like saying fire is hot. Apparently 1 in 6 people in Massachusetts have been victim of identity theft, and that is what brought this problem to their attention.

1 in 6 people. With the number and scope of data breaches that have happened just in the last two years it's a little surprising it's not 1 in 4 or even 1 in 3. I know 2 people whose identities may have been compromised, and 1 whose identity was most definitely stolen. Identity theft is a big problem, I'm just surprised it took Credit.com this long to realize it.

Obama shoulders responsibility

Whatever you may think about President Obama's handling of the economy, foreign relations, or the war on terror, yesterday he stepped up to the plate and acted like a leader. He gave a broad outline (which was all he should have given) of what went wrong and what will be done to fix the problems. And that's where it gets sticky. I've been doing a little research on those handy-dandy full-body scanners that everyone's talking about, and I like the idea of using them less now than I did before. In a couple of days I'll go into some of the problems with them. But aside from the full body scanners, it looks like President Obama is taking this threat to our security seriously now and taking real steps to keep us safe from external threats.  That is his primary job as President.

Bono's hurting because of music pirates?

In a New York Times editorial U2 front man Bono gives his top ten things he thinks are important for the next decade. His second item is a plea to stop this horrible thing that has almost killed the music industry - file sharing. Not for the sake of artists like him, but for the little guys trying to get started. The ones who can't make a living because their music is being distributed free by pirates. He apparently does know how ridiculous he sounds, because he ends the section with, "Note to self: Don’t get over-rewarded rock stars on this bully pulpit, or famous actors; find the next Cole Porter, if he/she hasn’t already left to write jingles."

There are a few things he is ignoring, however. There is a thriving indy music industry based on internet distribution. Many young artists have started their careers using the internet and are quite happy as regional sensations. Other types of content providers have discovered that carefully managed free distribution increases sales instead of decreasing them. Baen books started an experiment in 1999 or 2000. Instead of trying to stop internet sharing, they embraced it. They put some of the older titles of authors who were willing to give away a book or two online as free downloads. They're still doing it today. I'll give you three guesses why.

If you are a fan of fantasy and science fiction, check out the Baen Free Library. And see how intelligence and forward thinking handle new "problems". And after picking up a book or two by an author you've never read before, if you like it, buy something else by the same author. After all, he was nice enough to give you an enjoyable free read, and he's got bills the same as you and I.

Facebook Frightened?

Facebook is suing to keep you from leaving. In the past year a few services have risen to enable us to remove all evidence of our existence from the likes of Facebook. And Facebook is unhappy. Seppukoo.com allows you to commit "virtual suicide" - something I am not sure I like, even as a joke. But it is a novel idea, and one that Facebook doesn't like. They have sent a Cease and Desist (link to pdf) order, which the founders of Seppukoo have replied to ('nuther pdf). Not surprisingly, it's a polite "bugger off". I hope they have good legal council. I think morality is on their side, but it's been a long time since justice and morality played a part in any legal system I've seen. Oh, and if you do use Seppukoo but want to be reborn, you can get your socialnetwork going again by the oh so stressful task of logging into your Facebook account.

Another service, Power.com, allows you to access many social networking sites from one, making social networking easier. Again, Facebook is taking legal action. I can understand this one. Facebook makes money from ads. No visits to your Facebook page, no ads displayed or clicked, no money.

Last, we have Suicide Machine, a service which will completely remove you from Facebook. You cannot simply log back in, you will have to create a whole new Facebook profile after using Suicide Machine. Facebook is blocking the Suicide Machine IP, so right now the service isn't available.

The amusing (sic) thing about Facebooks reaction to these services is that they claim to be doing it out of concern for users privacy. They obviously think being concerned with privacy = being soft in the head. How can my choosing to use one of these services be more hazardous to my privacy than Facebook making the default "privacy" setting for everything "Share with the world"?

Double standards. Gotta luv 'em.

Full body scan - shield or show?

Full body scans in airports - they're getting a lot of attention again, both for and against. One blog feels that just by agreeing to fly we are consenting to scanning. Another story on Canada.com agrees. It asks the seemingly reasonable question, "Do we need to see hundreds or thousands killed for the privacy objectors to back off?"

Privacy groups are against the full body scanners, saying they are invasive and demeaning. Flyersrights.org and the ACLU are both against the scanners. In a release on its website the ACLU says:

"We should be focusing on evidence-based, targeted and narrowly tailored investigations based on individualized suspicion, which would be both more consistent with our values and more effective than diverting resources to a system of mass suspicion," said Michael German, national security policy counsel with the ACLU Washington Legislative Office and a former FBI agent. "Overbroad policies such as racial profiling and invasive body scanning for all travelers not only violate our rights and values, they also waste valuable resources and divert attention from real threats."

I have to admit, I lean more toward the ACLU position. Yes, I know that a full body scan might have caught the explosive in the bombers undies - although there are claims that the bomb would have made it through a scanner. But that isn't really the issue. The issue is that we don't need to add any new security measures, we need to properly use the ones we have.

I can't say it enough. The system is broken. People are saying, "We need full body scans to keep anyone else from getting through." No, we need to start making full use of the intel we're gathering. Bush dropped the ball when he didn't follow through on his order that the U. S. intelligence agencies, FBI, CIA, NSA, etc. share information, and Obama is following his example.

The point in this is not that a scanner would have stopped this guy before he could turn himself into a eunich. It is that he should never have made it to the point where he would have to go through a scanner. We had more than enough info to forbid this guy to get on a plane. He was on a watch list, then his father notified the U.S. Embassy that he had been radicalized and might do something dangerous. That would have put him in a "watch very closely" list for me. Not for the U.S. government. According to examiner.com:

"On November 20th the embassy sent a "Visas Viper cable" to the State Department which detailed the father's warning.  The information was then given to the Counter-Terrorism Center in Washington D.C. which ruled that their was insufficient information present to revoke Mutallab's visa."

While people are screaming for more measures to limit our freedoms and take away our rights, the real problem is that the information we are gathering has everything we need to stop these terrorists, if we would only use it. Putting scanners in the mix will not make us safer, it will only be one more layer of false security.

No matter what methods we devise to detect explosives at the airport, our first and best line of defense will always be gathering data to stop terrorists before they can get a ticket. And the evidence shows we're doing a good job of gathering it, we just aren't using what we're getting.

Rockyou sue

I told you about the RockYou data breach a couple of weeks ago. They kept over 30,000,000 passwords (and usernames plus personally identifiable information) on their servers in plain text files. CIO.com reports that a class action suit has been filed in California for a number of failures by RockYou to protect user data and failure to report as required by California law when data was compromised.

I suppose it's not too surprising that the RockYou data breach is ranked as one of the top 5 (or should that be bottom5?) data breaches of 2009 by PCWorld, but the sad thing is that in today's day and age they should have been the worst. PCWorld didn't actually rank the top 5, just picked the worst 5 and listing them. But several qualify as worse, either for the number of people affected or the length of time it took to report the breach. One company took six months to notify anyone of a data breach. As long as companjies try to stall like that, notification laws will be needed.

What is cloud computing?

Cloud computing is a term that isn’t precisely defined yet. Some define it as anything that takes place outside of the your firewall is “in the cloud.” Others define it as the next stage of utility computing. Whatever it is, it’s big now, and looks like it’s only going to get bigger. For our purposes, cloud computing is when data retention and processing are turned over to an outside service provider. As noted by howstuffworks.com, if you've used one of the popular web-based email clients such as yahoo, gmail, or hotmail, you've used cloud computing.

That seems pretty harmless. But protecting email is one thing. Protecting major financial, medical, or other sensitive data is quite another. And we have problems protecting the email. There are ways of analyzing memory usage to steal data when two programs are running on the same computer and operating system. Theoretically it should work for two virtual computers running on the same server, but with dozens or hundreds of them running on a server, it was believed that actually isolating useful data that way was very unlikely.

Technology Review ran a story on cloud security called "Security in the Ether". One of the first things it talked about was three researchers who had shown that it is possible to monitor virtual machines the same way. They did their research on Amazon's cloud servers, but Amazon says they have taken steps to make sure that data can't be stolen by that method anymore.

But that isn't the only concern about cloud computing. There are concerns over downtime, application security, data security, the human factor. Perhaps you've heard that the more people who know a secret, the less likely it is to remain secret? There's a cloud computing corollary. The more people in the cloud, the more likely there will be a breach. And cloud computing is only economical if lots of people are using it.

"The Cloud" is easy to fall through

In the NY Times "Bits" blog, Nick Bilton asks if your data is safe in the cloud. And with good reason. He's just read an article by David Talbot that examines what types of problems exist in cloud security. He finds two researchers whose work shows that it isn't all that difficult to gather data from the cloud. The article goes on to ask a lot more questions, but the gist is that data in the cloud can be very easy to access. The risks are high, and that data will be compromised is almost certain. Before we leap willy-nilly into this thing called cloud computing, it would be a good idea to understand it a lot better, and work on it's drawbacks. But it doesn't look like that's on anyone's agenda, and some things are going to have to go radically wrong before it gets put there.

Tomorrow I'll be looking at what exactly cloud computing and how it works - and how that effects your data in the cloud.

The obligatory New Years Prediction

I have one prediction for 2010. With Google Docs seeing wider corporate and enterprise adoption the opportunity for truly devastating data breach is increasing as well. The security issues on cloud computing are still being defined, but companies and municipalities are starting to use Google Docs, either to support Microsoft office, or replace it. Los Angeles has chosen to move completely to Google Docs over Microsoft Office. According to a Google advertisement, 60% of U.S. state governments have "Gone Google", meaning they have opted to use one or more Google enterprise application services.

Does this mean that our state governments are trusting Google with sensitive information? Not necessarily. In fact, probably not. But it does mean that there is a lot of information being entrusted to Google that wasn't just a few months ago. And there is no way to ensure that sensitive data won't be sent through Googles servers, and that brings us to my prediction: This year there will be a data breach of unrivaled severity, and it will be through Googles cloud computing services. It will massively slow down the adoption of SAAS (software as a service) as companies and individuals realize the security models we have today are not suited to the cloud. It will strengthen Microsofts position (supposedly threatened by Google Docs) in the enterprise as organizations trip over each other to get away from Google Docs and back to Microsoft.

Such a breach could be a good thing in the long run if it makes us look at cloud computing and reexamine our security paradigms in light of the new and unique requirements of protecting data in the cloud. But depending on what is breached, in the short term it could be very ugly.