Friday, April 30, 2010

Choosing to host malware

ZDNet's Dancho Danchev report on a disturbing development in activism; the opt-in botnet.

In case you don't know what a botnet is, it is a group of computers that have been taken over by malware that allows someone besides the computers owner to take control and/or use the computer to attack other computers, servers, and even botnets. Usually the people hosting the computers in the botnet don't know they've been infected. In the case of an opt-in botnet, though, they do. Not only do they know, they've intentionally infected their computers so a coordinated attack against an entity their activist group doesn't like can be launched. This is similar to activists chaining themselves to trees, vandalizing government (or other) buildings, or bombing whatever they don't like.

This kind of activity is illegal, but most people who become part of opt-in botnets either don't know this, don't care, or think that, as part of a large group, they are less likely to be singled out. They may or may not be right about that last one.

One of the things that make opt-in botnets feasible is the rise of social networking sites such as Facebook and Twitter. But while they make such things easier, they don't guarantee success. The article examines some successful and not so successful opt-in botnets. It's interesting reading. If you find such things interesting, check it out.

Thursday, April 29, 2010

A blip from Blippy

A few months ago a new social networking service started up, one with a model I thought would never take off. Blippy posts your credit card purchases online in short, twitterlike 'blips'. The information posted includes what was purchased, where, and for how much. It's not supposed to include your credit card number. But according to Gigaom.com's Liz Gannes, for 196 transactions last week that's exactly what happened. According to Philip Kaplan, cofounder of Blippy, the transactions were from early in the services beta period, but was still being cached by Google. The problem has since been fixed - the search that had revealed credit card numbers doesn't now.

But this just brings us to the burning question in my mind. Why would you want this information to be published online, even without the credit card number? I do see a bright spot, however. Whenever I tried to use Blippy NONE of my accounts showed up to be shared. I guess they know how I really feel about their service.

Update: Blippy has since apologized, contacted affected users and promised to help them with any issues that might come up from the exposed data. They have also commited to hiring a Chief Security Officer (they didn't have one?!!!).

Wednesday, April 28, 2010

Tori Pennington could have lived

Last Saturday Tori Pennington's body was found by her 12 year old son. In Tuesdays Avalanche-Journal Robin Pyle reported that she was allegedly killed by a man she met through an online dating service. At the time I'm writing this not a whole lot is known, other than she had been talking with Dustin Kendrick online and over the phone for an undisclosed amount of time. It is presumed that this was their first face-to-face meeting. This isn't the first online relationship in Lubbock to end in murder. In 2004 Joanna Rogers disappeared and was later found dead in the Lubbock Landfill. Her killer was initially connected to her by chat records and emails on his computer. We can only guess at the number of people in Lubbock who have been beaten by people they met online but never reported it.

Sometimes bad things happen. But often they can be avoided, and meeting online doesn't have to be any more dangerous than any other way to meet people. So here I am going to suggest a few steps to take when meeting people online. They won't guarantee your safety, but they will at least reduce the risk. They aren't in order of importance because they are all important.

  • If you're looking for dates online, go to a large, reputable site that does at least a little checking on it's members. The final call is still up to you, but every extra bit of screening helps.

  • Spend plenty of time getting to know them online before meeting in person. The longer you interact and the more you see of their actions, the more likely you're seeing "the real them."

  • Don't give them your address or home phone. Give a cell phone number - in most cases you can't get an address by looking up a cell phone number on the internet. With land lines you can.

  • I don't care how nice he (or she) is, the first few times you meet in person, don't meet at home, a hotel, or any place you will be alone. That includes going there after the dinner, movie, whatever. Meet in public places, preferably with friends. They will probably see things you don't - good and bad.  You will have to judge at what point you feel 'safe' being alone, but the first date definitely isn't it.

  • Alchohol impairs judgment. Drink little or none the first few dates.

  • When you do decide it's ok to meet in more private places, make sure someone knows where your going. Having a friend call to check up on you isn't a bad idea, and it can give you an out if you're getting uncomfortable.


To find more ideas for safely dating people you meet online, google "online dating guide" or "safe online dating."

My prayers go out to Tori Pennington's family, especially her children.

Tuesday, April 27, 2010

Who owns your Facebook?

ZDNET's Ryan Naraine and Dancho Danchev reported on a blackmarket sale of 1.5 million Facebook accounts. The accounts vary from active accounts with loads of friends to semi-autogenerated acounts that don't have any friends yet. The price depends on how many friends the account has.

The article is a FAQ on a report by Verisign's iDefense team, and covers a lot of ground, far more than I can cover here. But one of the things I find very intriguing is the section on "Cybercrime as a Service" (CAAS), something that I'd never thought about, but that is a logical progression when you think about the development of legal business on the web.

Of course, the real question that's probably on your mind right now is either "How concerned about this should I be," or "What can they do with my Facebook account?" Those might be closely followed by, "Why would anyone, especially a criminal, want my Facebook account?"

To answer the last question first, an established Facebook account is instant trust, allowing a criminal to get things from people with far less risk and effort than sending spam or actually burglarizing a house or robbing a bank. It just makes sense that if you can approach a person as someone they know and trust, they're more likely to agree to risky behaviors you might suggest. They also are more likely to open malware you send them and open links, making Facebook accounts perfect mules for infecting their friends.

So how worried should you be about this? Well, you're probably not one of the 1.5 million accounts being sold, but I'd change my password anyway from a computer that is known free of malware just because you can't be sure. There are reported to be more than 400,000,000 users on Facebook. That means that this list of accounts for sale has less than 1/2 of 1% of all Facebook users on it. I've seen people say they are leaving Facebook because of this breach, but I wouldn't leave Facebook because of this problem alone. Of course, there are plenty of other problems that make Facebook a risky proposition.

Monday, April 26, 2010

Wylie's Angel identified

It's a sad tale reported by By Valerie Wigglesworth and Tanya Eiserer of The Dallas Morning News. No one know how Gerren Isgrigg's body wound up next to a parking lot by Lake Lavon Northwest of Dallas, but his maternal grandmother is in jail for murder after an anonymous tip helped police identify the child.

Apparently the father was making child support payments, but they were going to the mother, not to her parents. She lived in Oklahoma while Gerren lived in Texas with his grandparents.

It's very easy to pass judgement from a distance, even when you know very little of the circumstances in a situation. So I won't. From here I could point fingers at everyone involved, but the truth is that I know nothing about what went on. So all I'm going to do is pray for the parents and grandparents to be honest with themselves about everything and become better people because of what's happened. I suppose that is passing judgement as well, but we all could become better people, and that's the best I can do.



Friday, April 23, 2010

Google Buzz by Bot

It looks like Google Buzz is powered by bots. 80%, according to one article.

But wait, someone else says it's 90%!

Whichever it is, most of the content on Google Buzz is fed automatically - and it still can't compete with Facebook.

Is there a hidden meaning there?

Thursday, April 22, 2010

Facebook to users: Screw privacy

Facebook proposed changes to it's privacy policy and put them online for people to comment on. After reviewing all of the comments, Facebook posted a response here. I would recommend that you read the response, even if you never read the new policy. It is full of information that I'm sure Facebook never intended to release, the biggest revelation being that Facebook considers it their right to use your content - although they claim the privacy policy limits how they can use it. Two of the responses seem to reveal the lie in that to me - I'm going to deconstruct them as I go:
Will Facebook take my creative works and use them for profit?

A number of users raised concerns similar to the following comment: “I am an artist. This section makes me nervous. Does this mean that Facebook plans to sell the artwork, photos or music that I post?” Facebook has never sold its users’ creative works, and has no intention of doing so in the future.

That's cool. Just the way it should be.

But you should be aware that Facebook does try to derive revenue from its website – such as through advertising – and your content appears on our website.

There shouldn't be a butt I mean but, here.

That said, this section limits our use of your content in two important ways that protect you. First, the rights you give Facebook are “subject to your Privacy Settings.” This means, for example, that if you set your privacy settings so that only your friends can see a photo, we cannot show that photo to anyone but your friends.

Hmmm...but in the past the default is to share with everyone. So Facebook is setting the default to share only with friends? Somehow I doubt it.

Similarly, if you opt out of Social Ads in your Privacy Settings, we will respect your decision.

You'd better, but will I ever know?


Second, the license you give us ends when you delete your copyrighted content. This means that the minute you delete it, we will no longer use your content except in the ways we articulate in section 2.

Hold up. Once I delete it, you shouldn't have any rights to my content. Also, unless you take the steps to copyright your Facebook content, it's not copyrighted, which means Facebook can use it. Facebook, you can delete section 2 right now!

And the second section that bothers me:
How will Facebook use, share, and store my content?

Facebook needs the right to use, share, and store your content in order to provide Facebook to you and your friends.

No, you could have chosen another business model. But you chose to use a model that requires you to trick us into releasing data we might not want released.

Our Privacy Policy explains what content we use, share, and store, and includes a number of examples (as do some of our responses to this section). In addition, your Privacy Settings give you the ability to direct and control how we use and share your content.

But only if we hunt them down and change them and never do anything that negates those settings. The default should be not to share - but Mr. Zuckerberg knows that the default setting is the one that most people will keep without thinking, so opt-out gives him more moneymaking power than opt-in.

Who am I kidding. I didn't like any of the replies to users objections. Mark Zuckerbergs announcement yesterday just reinforces my belief that Facebook is not responding to changing social norms, but is trying to push those norms in a direction that benefits Facebooks bottom line, not the interests users of the service.

David Goldman, staff writer for cnn.money.com, covered Facebooks f8 developers conference Wednesday and saw a number of problematic privacy changes. However much more control you may have to make things more private, that control is easily lost: Users will be asked to convert their interests into fan pages:
"Is one of your interests "The Beatles?" Well, now you're a fan of The Beatles. By default, users will receive notifications from their fan pages in their news feed.

Doesn't sound like such a big deal, but here's the kicker: Users who choose to convert their interests to "pages" will lose privacy control with the new changes. Many parts of users' profiles, including hometowns, birthdays, education, religion and work interests would be considered "connections" if a user converts them, making them public to anyone."

Goody! I can create fan pages, but only if I'm willing to give up control of my own information. That's extortion - although in my case they wouldn't find much on my pages, but they shouldn't have the opportunity unless I explicitly give it to them. Facebook is starting to change their privacy policy on an almost monthly basis. Privacy policies should be relatively static, only changing when not changing would cause problems. In light of Facebooks continuing push to take control of my data I've deactivated my Facebook account. If I try to do anything beyond exchanging messages with friends I negate the privacy settings, and it's only a matter of time before Facebook gives up any pretense and says, "To use our site you grant us full use of your content." I'm not willing to do that.

Wednesday, April 21, 2010

Message to Google: Respect our citizens privacy

In a story published in the Avalanche-Journal, Barbara Ortutay, AP technology writer reports that 10 nations have written a joint letter to Google CEO Eric Schmidt expressing their concern over the way Google Buzz and Google Streetview handle privacy.

It's good to see that the privacy of citizens is important to their governments. It's sad that the US wasn't represented, but we don't have a privacy commissioner, and anyone who's been paying even mediocre attention to the news for the last 5 years should know that US government isn't exactly worried about citizens privacy.

The letter pulled no punches, saying in part:
"However, we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.  We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws.  Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services."

The other service being referred to was, of course, Google Streetview. Google streetview has been plagued with privacy issues such as pictures of the interior of houses, backyards behind privacy fences, and unobscured pictures of peoples faces without permission.

The commissioners expressed concern that Google was making it a standard business practice to roll out new services without adequate planning and privacy protections:
"It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world."

I only wish we could convince the US government of the importance of the citizens right to privacy. If we all contact our congressman and tell them, maybe we can.

The text of the letter is here.

Tuesday, April 20, 2010

Do you Know "Wylie's Angel"?

The small North Texas city of Wylie, Texas suffered a major shock last week when the body of an unknown 6 year old boy was found near Lake Lavon, Northeast of Dallas. The boy was apparently fed through a tube and had other major medical problems. There are no missing children fitting the description, and no one has come forward with information following the publishing of an artists rendering of what the boy looked like:

Artists rendering released by Wylie PDThe local CrimeStoppers and Shepp's Dairy have each offered $10,000 for information leading to the positive identification of the boy, and a local resident created a Facebook page. Most communities pull together in situations like this, and Wylie and the DFW Metroplex is no exception. My prayers go out the family of the little boy and to the community of Wylie, TX in hope they find out what happened to him.

If you have any information about this child, police ask you to call the National Center for Missing and Exploited Children at 1.800.843.5678.

Stories from WFAA TV, Dallas and CBS11TV were used to gather information on this story.

Monday, April 19, 2010

Bad security a financial industry issue, not just banks

Alan of Sun Country's Weblog reports that FINRA (the Financial Industry Regulatory Authority) recently fined the brokerage firm Davidson & Co. $375,000 for failing to use adequate security measures to protect customers information.

The breach occurred in 2007, but Davidson & Co. didn't find out until 2008. To make it worse, they didn't find it, one of the hackers tried to extort money in return for not releasing the stolen data to the public.

According to FINRA, Davidson made such basic security blunders as not encrypting customer data, keeping the customer data on a web server with default admin password, and keeping the insecure webserver online 24 hours a day. The company also failed to follow a 2006 auditors recommendations that it implement an intrusion detection system and review server logs so that they could have detected the breach sooner.

According to a Davidson spokeswoman the FINRA statement ignored some pertinent information, such as a third party auditor being unable to break into their systems shortly before the breach, and the attack using what were, at the time, very cutting edge techniques.

What the FINRA report does tell us is that the attack was a SQL injection attack. In 2007 SQL injection was going on 10 years old, hardly cutting edge. Changing the default admin password is basic security. So is encrypting your customer data and not placing the database on a server directly connected to the web. Different companies use different terminology for the same tasks, so I suspect Davidson was looking for a pentester and hired something else, but I can't be sure. Any pentester should have hacked a server using the default admin password in no time. But an auditor might not even try.

These types of problems are coming to light often enough to show that a large segment of the financial sector has major security problems. I would like to see the industry police itself, but the stakes are too high, and the industry moves too slow. It's time for regulatory involvement.

Friday, April 16, 2010

Biometric National ID - The big lie

In an article on fiercegovernmentit.com David Perera tells us more of the claims and controversy surrounding the proposed biometric national ID cards. The proposed cards would have some type of biometric data to make them tamperproof (there's no such thing) and are supposed to help stop illegal immigration. If you read this blog regularly you've probably already seen my opinion on that.

He links to an opinion piece by Senators Charles E. Schumer (D-N.Y.) and Lindsey O. Graham (R-S.C), the authors of the bill. This piece shows either the duplicity of the two legislators, or their unforgivable ignorance of just what it is they are proposing. Just a few sentences from one paragraph of their article raises all kinds of alarms with me:
Each card's unique biometric identifier would be stored only on the card; no government database would house everyone's information. The cards would not contain any private information, medical information or tracking devices. The card would be a high-tech version of the Social Security card that citizens already have.

Let's look at the two claims individually:

First, if the biometric data is only on the card, there is nothing to check it against. Without a database to check the data on the card against it will be difficult if not impossible to create a card that's really difficult to forge, let alone one that's anywhere near tamperproof. Once someone figures out how to move the biometric data from one card to another a single lost ID can be turned into as many different ID's as they want. The card is only checked against itself, so it will always report that it's legit. In other words, a national database loaded with U.S. citizens personal data is more than a requirement for an even remotely effective national ID, it's an absolute necessity.

Second, it's not supposed to contain any private information. Excuse me, but biometric data is extremely private. Social Security numbers are supposed to be private. By it's nature, an ID card has to have some type of personal data or it can't prove your identity. And don't believe there won't be medical data on it. It won't be there at first, but unless the health care reform bill is repealed, the most logical place for portable health info to go is a chip on an ID card. And don't trust the promises that none of this will happen. "It will not be used as an ID number" was one of the promises used to pass Social Security.

The ACLU and about 45 other organizations sent a letter to President Obama outlining their concerns over a national ID. Along with the concerns I've already noted, they included concerns over cost and enforceability, among others. Regarding cost, they point out that providing biometric ID cards for 1 million transportations workers is expected to cost the Department of Homeland Security 1.9 billion dollars. In other words, it will cost almost $300,000,000,000 dollars to ID the entire U.S. work force. Perhaps more important, they don't believe the plan has a snowballs chance of working:
"Adding insult to injury, this unaffordable scheme will probably never work. Even ignoring the enormous difficulties of creating a system to fingerprint everyone and distributing readers to employers across the country, the truth is that some employers prefer the ambiguity of the current process. Unless significantly greater resources are dedicated to enforcing the law, employers will continue to have a strong incentive to circumvent a broken system. Such enforcement could be accomplished just as easily without a National ID."

If greater resources were dedicated to enforcing the law, there would be less perceived need for a national ID. In other words, this national ID thing is smoke and mirrors to gain more control over law abiding citizens while having minimal impact on the criminals.

Thursday, April 15, 2010

Online Privacy: Ebay steps up

On the eBay Ink blog Richard Brewer-Hay tells us about the new tweak to AdChoice. Now AdChoice has a nifty new icon, and that icon will appear on ads on ebay and on ebay ads on other sites. Click on the icon and you are presented with opt-out choices. That's pretty nifty, but the really neat thing is that the program is being implemented as an industry standard. Creating privacy policies and privacy customization for one site is a job. Creating something that is recognized as revolutionary and needed that others will use is a herculean task. Ebay has succesfully marked itsself as a security aware privacy guarding online company. That is almost as impressive as the standard and the example they have set.

Wednesday, April 14, 2010

$1000, Free on Facebook!

There are some legitimate "free" offers on the web, although by the time you jump through the hoops to qualify for them it would be cheaper to just buy the "prize" they offer.

Robert McMillan of IDG News reports on PCWorld that there's a free offer appearing on Facebook that's a lot easier, but the prize goes to the conmen, not to you. All you have to do is become a fan and get a free gift card. The scam has covered the gamut, from Ikea furniture to iTunes, and has offered as much as $1000 gift cards. One fan page gathered 70,000 fans before being taken down.

In another article by McMillan, Facebook Spokesman Simon Axten says that right now these pages are leading to marketing websites that generate money through advertising. But traditionally this kind of scam is associated with identity theft, and it is probably only a matter of time before the information gathering gets more personal and identity theft becomes the goal.

Remember, anybody can put up a page on Facebook and claim to be anyone else. And always remember that old adage, "If it looks too good to be true, it probably is.'

Monday, April 12, 2010

Surviellance law needs updating

Scott M. Fulton, III, managing editor of betanews.com, wrote an in-depth article on technewsworld.com about the need to update the Electronic Communications Privacy Act (ECPA), an ancient (in technology terms) law that sought to update the code covering telephone communications so that it also covered computer communications. But it was written in 1986, almost a quarter of a century ago. Computer communications now are radically different than they were then. In 1986 most computer communications were between universities, government agencies and government contractors. Today the communication between those three segments is a fraction of the communications between private companies and citizens.

The Digital Due Process (DDP) group, led by the Center for Democracy and Technology, has defined some principles for Congress to take into consideration when they look at updating the ECPA. The goal is to get internet communications the same protection given to wiretapped telecommunications. This isn't the first time that the DDP has tried to influence policy, but this time they've enlisted two of the more visible company in recent privacy discussion, Microsoft and Google. Their involvement should put some weight behind the DDP's suggested principles.

Internet communications are in dire need of legislative protection. Despite recent court rulings, just how protected online communications such as email are is uncertain. And with more of individuals critical data being stored online or in third party cloud services, the current laws and precedents make the Fourth Amendment moot. By use of the Third Party Doctrine law enforcement can deny Fourth Amendment protections to anything you store online. That includes email, financial data (if you access your bank account online...) and even your dropbox account.

Check out Mr. Fulton's article to learn a lot more about this issue. I've only touched the surface of what he covers. Before I finish, I want to include one quote to emphasize how important it is that current laws be updated, and the standard of how much privacy protection is afforded online data be updated:
"The Supreme Court has said that you can issue a subpoena -- not because you believe the law is being violated, but merely to assure yourself that the law is not being violated." Jim Dempsey, CDT Vice President for Public Policy

I don't know about you, but to me that sounds a lot like assuming guilt without evidence. Kind of flies in the face of "innocent until proven guilty" doesn't it?

Friday, April 9, 2010

The Tao of Facebook: Fools and Wisemen

United Press International reports that a Muslim teacher in North Carolina has been moved from the classroom to an office job. Not because of anything she did in the classroom, but because of her (and her friends) Facebook postings. Before moving to an office position she was suspended with pay for several weeks.

Melissa Hussein was at least mildly provoked. I have to wonder what else was going on in the classroom, school, and community. The incident that sparked the incident was students leaving a Bible on her desk. She called it a "hate crime" on Facebook, and her friends responded in kind, even going so far as suggesting she paint a swastika on a Dale Earnhardts poster and showing it to the students. She liked the idea, but said that would leave her without a job.

Don't worry Melissa, you almost took care of that yourself with Facebook.

Jo Ann Hustis of the Morris Daily Herald reports that Facebook was instrumental in identifying the suspect in a bank robbery that occurred Tuesday in Morris, Ill. The police put the pictures captured in the bank robbery on Facebook for their 500 fans to pick up, and within a few hours they had put it on their pages for their friends to see, and the thief was identified.

That's the way to use FaceBook.

Thursday, April 8, 2010

Court says "NO" to "potential damage" from data breach

When I first saw alerts on this story I thought it was another case of a bad court decision in favor of a corporation. Then I read Mark Mcreary's blog post, Aetna Wins Dismissal on "Increased Risk of Identity Theft" Damages Sought for Class Action. I also read the amended decision by Judge Legrome D. Davis, and after all that reading, I can see two things:

1. Had this lottery ticket paid off, it would have paid off big.
2. Even so, no lawyer should have been willing to plead this case.




Aetna had a security breach on their employment website. The email addresses of over 400,000 applicants and 65,000 employees were stolen. Other information may have been stolen, but no one knows for sure (except the thief). Aetna sent notification of the breach to everyone who might have been affected by the breach. Some of those people received a bogus email claiming to be from Aetna asking for more information. One of the people who received the notice from Aetna, but not the phishing email, decided to sue Aetna for potential damages from potential identity theft.

Yes, that's right. Cornelius Allison sued Aetna for damages because he might, someday, have his identity stolen. Since he did not receive the phishing email, he didn't even know if his email address or any other data had been part of the breach.

He was suing for money the maybe perps would possibly take if they ever stole his identity. I wonder if either he or his lawyer was really surprised when the case was thrown out?

Wednesday, April 7, 2010

eMail: Private or not?

Just what is private online and what isn't is still being hammered out, and things aren't likely to get any clearer with the conflicting decisions being handed down by the courts.

In an article by Ellen Messmer Computerworld reports that the New Jersey Supreme Court, Appellate Division, ruled that an employee had an expectation of privacy  because she used her personal email account (Yahoo) on a company computer, not the companies email system. The company policy was not clear that email sent from a personal email account using company computers could be captured and used by the company, so the court ruled that there was a reasonable expectation of privacy. I'm sure that by the time your read this the company policy will say something like, "Any correspondence, letter, message, mail or email produced using the company email system and/or company equipment is subject to monitoring and archiving by the company. This includes email sent using third party providers such as Yahoo and Gmail."

In an off the wall decision reported on the Citizen Media Law Project by Andrew Moshirnia the 11th Circuit Court of Appeals ruled that, because of the "Third Party Doctrine" email is not protected by the Fourth Amendment. The Third Party Doctrine is what the government uses to justify the massive wiretapping program the NSA is running. There is a difference, however. The NSA is supposedly only gathering the numbers called, not the content of the calls. This court ruling does not allow just getting the addresses the email is going to or coming from, it allows grabbing the content, as well. That goes way beyond what the NSA is doing.

Worse, not only does it disastrously expand governments ability to spy on our communications, it flies in the face of other decisions by other circuits. Last year the 10th Circuit ruled that even in the workplace employees can have an expectation of privacy in email if certain criteria are met. That ruling makes sense. Using the third party doctrine at all, but especially on email, is crazy. Just because I use a third party to send something doesn't mean I don't expect it to remain private. By that logic  I should be able to grab my neighbors mail out of his mailbox and read it.

Tuesday, April 6, 2010

Terrorists more protected than law abiding citizens

Kevin Bankston of the Electronic Frontier Foundation reports on the decision in the case of Al-Haramain Islamic Foundation v. Obama. The decision says that Al-Harmain has met the Foreign Intelligence Surveillance Act (FISA) requirements that they prove they had a legitimate complaint using only "non-classified" information. That means that the government tapped their phones illegally, and will have to provide relief as provided by FISA. The Obama administration, following Bush's lead, tried to use "states secrets privilege" to avoid admitting or denying that any wiretapping took place, but the court wisely determined that FISA trumps states secret privilege.

I've read the FISA, and there is no reason at all for any surveillance that is remotely legitimate to be done illegally. FISA has provisions for emergency surviellance that allow the surveillance to be done BEFORE the warrant is requested, let alone issued. The base rule is file for the warrant within 30 days, but that can be extended up to a year in some circumstances. So the only real reason to avoid admitting or denying the surveillance is if, in fact, the surveillance took place and a warrant was never obtained. Or at least one of the parties being watched was a US citizen, and more information was gathered than the law allows.

The reason all of this means that terrorists are more protected than law abiding citizens is that surveillance of just about every phone call made in the US is still going on, and there is nothing we can do about it. But a group that has been determined to have connections to terrorists has managed to sue the government and win. They won because FISA limits the surveillance that can be done on US citizens communicating with non-citizens. Meanwhile the rest of us are being spied on by our government because the 4th Amendment doesn't apply to us when our information is entrusted to a 3rd party. So I would have more protection from government surveillance if I communicated with known terrorists than I have calling my mom and dad. If that isn't bass ackwards I don't know what is.

If you'd like to know more about the Foreign Intelligence Surveillance Act without having to go through the legalese, the Wikipedia article is a good general overview of it.

Monday, April 5, 2010

Linux: As vulnerable as Windows?

Before any Linux users burn me in effigy, please read a little further. Enterprise Linux is rock solid and as secure as anything out there - and more secure than most. But how secure is desktop Linux?

Before answering that, perhaps we should think about why Linux in the Enterprise is so secure. Actually, we don't have to think about it because Fewt of the Fewt blog already has. And the conclusion he has come to is that the things that make installing and using desktop Linux so user friendly are exactly the things that make it insecure.

I'm ashamed to admit that I've never considered that the changes made to make desktop Linux simpler to install and run than enterprise Linux could create security risks. For instance, creating a single partition instead of having different partitions for different directories removes one of the security features of enterprise Linux. Fewt says it much better than I can:
With a Desktop Linux system, non enterprise savvy users are given the keys to a wide open platform and nothing protects them from the elements. We as a community have falsely sold our users that this platform inherits the security capabilities that you find within Enterprise Linux, we just aren't telling them the whole story.

By default, every single Desktop Linux system I have reviewed or tested fails in every possible way. None of the measures normally applied to protect Enterprise Linux systems are present to reduce risk of vulnerability. In addition those enterprise controls must be altered slightly as the use case is so greatly different than that of an Enterprise Linux deployment.

Are you using desktop Linux? Do you have the know-how to secure it, and if you do, have you? If you've convinced friends to run Linux, have you secured their systems for them?

Fewt doesn't just bemoan the fact that desktop Linux is not secure. He points users who want to secure their systems to resources to help them do exactly that:

https://help.ubuntu.com/community/Security
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
http://ubuntuforums.org/showthread.php?t=510812

He then offers the advice that if you find the information at any of those links too complicated you should stop using linux. He's not being snobbish or suggesting you have to be a Linux administrator to secure Linux. He's saying that if you're not comfortable taking the steps needed to protect your data - and perhaps your reputation - you should use an operating system that protects you while staying in your comfort zone.

If you are a user or a fan of desktop Linux I suggest you check out fewts blog entry and the links he gives to help you secure your desktop. He gives a very clear, very informative case for desktop Linux's insecurity.

In any security situation you're only as secure as the weakest point. Often that's the users password. In desktop Linux it looks like the OS itself may be the weak point. There are already enough weak links in any OS without opening the lock and throwing open the gate for the bad guys.

Friday, April 2, 2010

Facebook puts new spin on old crimes

KTLA.com in LA reports a new spin on a not so new pastime. For that matter the spins probably not all that new. There's not really anything new about groups of teenagers or early twenty-somethings finding an unoccupied house, breaking in, and trashing it. It's also not new that the partiers don't really care if the house is empty because it's abandoned or because the occupants are away. Actually, they probably prefer the occupants be away, that way there's probably food and maybe alcohol already there.

What Facebook and other social media have made possible are a much shorter amount of time needed to setup the "party". Twenty years ago it took time to find a suitable house, let people know where the party was being held, and get everybody there. Today, thanks to Facebook, Twitter, Foursquare, and others, a careful online search can find empty houses in minutes. A Facebook update or a tweet can potentially allow thousands of people to find out about the party simultaneously, and in no time you have hundreds of people trashing your home.

As I said, this isn't exactly new. What is new is that many people are now transmitting to anyone who cares to look that they are leaving for an extended periods. So along with having your mail held, your newspaper subscription suspended, and your lights set to go on and off while your gone, make sure no one in your family reports to the world at large that you are going to be gone.

Remember, sites like Facebook are tools. It's up to us how we use them.

Thursday, April 1, 2010

Suing downloaders new "revenue stream"

First it was Warner Brothers seeking an anti piracy intern in the U.K. Now it's the US Copyright Group taking a swing at stopping movie piracy. They are not doing it at the request of the MPAA, they are doing it an a straightforward attempt to find new and interesting ways to make money.

According to an article in The Hollywood Reporter, they are using a new proprietary technology that allows realtime inspection of torrent downloads. Supposedly it's been very successful in Germany. US Copyright Group has filed tens of thousands of lawsuits, with a handful being settled already, and there could be another 30,000 filed in coming months.

This tactic didn't work for the RIAA, and hopefully it won't work here despite the new technology. Litigating shouldn't be an option to avoid having to adapt to changing market conditions.