Sunday, July 31, 2011

Encrypt your Facebook sessions to protect data when it takes the scenic route through China

Originally published 3/25/11 on


CIO Online reports that Facebook traffic coming from AT&T servers was accidentally routed through China and North Korea. This might not be a concern, but unless you're connecting to Facebook using an encrypted connection everything that you do can be monitored by network operators. China is known for spying on it's users, and once your data is on the Chinese network, it's just like any Chinese users data. Any data you look at on Facebook could be monitored and/or saved for later analysis as it goes through China.

But if you encrypt your data, the network operators can't see it. Encrypting your login to Facebook is easy. Just make sure your Facebook bookmark is set to "" and everytime you login your username and password will be encrypted. But once you login Facebook defaults back to an unencrypted connection. Facebook does realize that you may want to have everything you do on Facebook encrypted, and have a setting to allow that. Go to the 'Account' menu,select 'Account Settings' and scroll down to 'Account Security' then click on 'change'. Check the "Browse Facebook on a secure connection (https) whenever possible" box.

It's almost always a good idea to use encryption on the web. It doesn't use much processing overhead and protects your information as it goes from point 'A' to point 'B'. If you use Firefox there's even an add-on called "https everywhere" that will use https to connect to any website that support https.

Facebook + Separation + defriend = Jail Time?

Originally published 3/24/11 on

Ben Muessig at reports on another case of someone shooting themselves in the foot on Facebook. The headline says it all: "Man Charged with Poligamy after defriending his first wife on Facebook."Richard Leon Barton, Jr became estranged from his first wife in prison. They hooked up again on Facebook after he got out.

That's fine, but then Richard defriended his wife. But he didn't have his privacy settings locked down, so she was able to see the pictures he posted of him and his second wife.

Oops. He hadn't divorced wife #1 yet.

Computer Myths: 5 myths and the truth about them.

Originally published 3/23/11 on

The U.S.-CERT site is an excellent resource for information on computer security. It provides information at two levels, technical and non-technical. One of the articles is a list of common myths and the truth about them. I've provided the link, but here's the list of myths and the truths about them:

What are some common myths, and what is the truth behind them?

  • Myth: Anti-virus software and firewalls are 100% effective.

    Truth: Anti-virus software and firewalls are important elements to protecting your information (see Understanding Anti-Virus Software and Understanding Firewalls for more information). However, neither of these elements are guaranteed to protect you from an attack. Combining these technologies with good security habits is the best way to reduce your risk.

  • Myth: Once software is installed on your computer, you do not have to worry about it anymore.

    Truth: Vendors may release updated versions of software to address problems or fix vulnerabilities (see Understanding Patches for more information). You should install the updates as soon as possible; some software even offers the option to obtain updates automatically. Making sure that you have the latest virus definitions for your anti-virus software is especially important.

  • Myth: There is nothing important on your machine, so you do not need to protect it.

    Truth: Your opinion about what is important may differ from an attacker's opinion. If you have personal or financial data on your computer, attackers may be able to collect it and use it for their own financial gain. Even if you do not store that kind of information on your computer, an attacker who can gain control of your computer may be able to use it in attacks against other people (see Understanding Denial-of-Service Attacks and Understanding Hidden Threats: Rootkits and Botnets for more information).

  • Myth: Attackers only target people with money.

    Truth: Anyone can become a victim of identity theft. Attackers look for the biggest reward for the least amount of effort, so they typically target databases that store information about many people. If your information happens to be in the database, it could be collected and used for malicious purposes. It is important to pay attention to your credit information so that you can minimize any potential damage (see Preventing and Responding to Identity Theft for more information).

  • Myth: When computers slow down, it means that they are old and should be replaced.

    Truth: It is possible that running newer or larger software programs on an older computer could lead to slow performance, but you may just need to replace or upgrade a particular component (memory, operating system, CD or DVD drive, etc.). Another possibility is that there are other processes or programs running in the background. If your computer has suddenly become slower, it may be compromised by malware or spyware, or you may be experiencing a denial-of-service attack (see Recognizing and Avoiding Spyware and Understanding Denial-of-Service Attacks for more information).

I especially like that last one. The newest computer in my house is 4 years old and runs everything from online games (free version of D&D) to streaming HD video. Just because a computer is a few years old doesn't mean it's obsolete. But a suddenly slow computer could be, and probably is, infected with malware. These days if you're running your computer as admin you may not be able to get rid of the malware without wiping the computer. So if you can install software on the account you surf the web with, create a new standard user account and start using it. You can usually remove any malware that gets installed in a normal user account. If it installs into an admin account you'll have to wipe the computer to be sure.

Saturday, July 30, 2011

New technology will measure your reaction to advertising

Originally published 3/22/11 on

I read a lot of science fiction, so I can see all kinds of bad futures for this one. Larry Dignan at ZDNet reports on a new technology: Neuromarketing. Neuomarketing is the creation of Neurofocus, a company that claims to develop advertising based on neuroscience. If you don't know (I didn't), neuroscience is an interdisciplinary science involving several fields including chemistry, computer science, and psychology, to name a few.

Neurofocus has a device called the Mynd that is basically a consumer friendly personal wireless EEG. It monitors your response to advertising - not just what you tell them your response is, but how you really react. Larry covered a few of the highlights of what it does:

I can see advertising folks drooling now. The aim for Mynd is to capture real responses from consumers who would participate in home panels. Mynd would send data to a mobile device that would capture reactions. Among the key details:
* Mynd has dense-array medical grade electroencephalographic (EEG) sensors.
* The device captures brainwave activity across the full cortex and can connect to mobile devices via Bluetooth.
* The sensors are dry so there are no gels to burden consumers.
* Mynd has been in testing and development for three years and will roll out to labs in the U.S., Europe, Asia Pacific, Latin America and the Middle East.
Dr. A. K. Pradeep, CEO of NeuroFocus, said Mynd can enable “neuromarketing” to gain “critical knowledge and insights into how consumers perceive their brands, products, packaging, in-store marketing, and advertising at the deep subconscious level in real time.”

The potential of this device is frightening - but at this point it's not a very big concern. Unless you agree to put on the headset it's not going to affect you. But if real privacy lawss aren't passed soon this may become the next big privacy fight. Even if the technology becomes miniaturized enough to fit in a baseball cap or a hoodie it may not be a big deal, if you have to agree to transmitting your data. But your data can be read without your permission, this will be major privacy issue. If the technology reaches the point it can scan from a distance it could become a big deal. We're already in a fight over who controls our personal data online. You don't get much more personal than your brainwaves.


Tell your Congressman, don't cut Social Security IT upgrade funding

Originally published 3/18/11 on

Anyone who has read my comments on "Lubbock Left" and "Mr. Conservative" knows I am not a huge supporter of Social Security. But just because I don't think it's Uncle Sam's job to take care of me and mine doesn't mean I'm oblivious to the reality of the situation. And that reality is that our Social Security system is residing in a data center that is decades old with a backup system that may or may not work, and will take five days to bring online even if it does.

I read about the problem in the print edition of Information Week for March 14, 2011. But the article by J. Nicholas Hoover is available online. The gist is that the data center is extremely old with inadequate heating and cooling, poor power with inadequate backup power and an unreliable backup of data and processing. The software is badly outdated and not up to the needs of a modern enterprise.

The plans and financing are in place - but the money may dry up:

Most of the funding for the new data center will come from $500 million made available through the American Recovery and Reinvestment Act of 2009. However, the Republican-controlled House of Representatives' revised budget for the rest of fiscal 2011 would cut $120 million of that stimulus funding. If that happens, one of the first things to go could be $100 million in software and system upgrades planned for the new data center.

Millions of people rely on the Social Security system for money to survive. The system is one lightning strike from disaster. Or one mouse shorting a circuit. If the primary system goes down the backup could take 5 days to bring online. In five days people could - probably will - die. I may not think much of Social Security, but the system is in place, and we have to make sure it doesn't fail. For too many people it's their only safety net. Write your congressman not to cut any of the funding for the Social Security data center upgrade.

Cord Blood Registry suffers breach

Originally published 3/17/11 on

Last month reported that Cord Blood Registry (CBR), a company that stores umbilical cord for future use, suffered a data breach in December of 2010:

A CBR computer and data backup tapes were stolen from an employee's locked automobile. The stolen tapes contained customer names, Social Security numbers, driver's licenses and/or credit card numbers. This is the "mother load" of personal identifying information for identity thieves.

This is a pretty serious breach, and a good (sic) example of how not to handle any type of data, but especially sensitive customer data. The thief broke into the car through the window. Never leave your computer in the passenger compartment where it can be seen. Even if you've encrypted the data, which CBR didn't do. It's even more tempting to some thieves than a purse.

Because unencrypted customer data was kept on the seat of a car 300,000 people are at risk for identity theft. If this was the first time this had happened it might be understandable. But there have been several widely publicized breaches involving stolen or lost laptops, including a breach more than 100 times the size of this one at the Department of Veteran Affairs. There is no excuse for a business allowing unencrypted data anywhere, but especially not on laptops or portable media.

Cars are hackable, too.

Originally published 3/16/11 on

Technology review reports that Tadayoshi Kono, Stefan Savage and a team of researchers are able to take control of cars computer systems remotely using smart phones. Well, as remote as a bluetooth signal will allow. It is important to note that the car they used was a mass production 2009 model. That means that it was one of the less computerized cars available. Of course, any car without bluetooth is safe from these attacks.
But in a car with bluethooth, not only was it possible to take control of the car using bluetooth, it was possible through several different attack vectors and with phones that weren't paired to the car. Once they had control they could take complete control of the cars computer systems. That means they could do everything from activating the GPS (how did you think Onstar tells 911 where you are) to disabling the brakes. With total control of the computer they could start or stop the engine, control the air and heat, and control the door locks, to name a few things. No one thinks these attacks are out in the wild, but it's past time for auto manufacturers to start including security in their computing software and hardware.

Researchers identify anonymous emails with 80-90% accuracy - I say not good enough

Originally published 3/14/11 on

At first glimpse it looks like a good thing. Researchers at Concordia University have devised a way to identify the authors of anonymous email. This is a great boon to prosecutors seeking to identify people using anonymous email accounts for illegal activity. Unlike an IP address, which can only be used to determine where an email was authored, this system will identify the author, and will do it with 80-90% accuracy.

Wait a minute. 80-90% accuracy is pretty good in some contexts, but in criminal cases? The reason for the research is sound:

“In the past few years, we’ve seen an alarming increase in the number of cybercrimes involving anonymous emails,” says study co-author Benjamin Fung, a professor of Information Systems Engineering at Concordia University and an expert in data mining – extracting useful, previously unknown knowledge from a large volume of raw data. “These emails can transmit threats or child pornography, facilitate communications between criminals or carry viruses.”

On an emotional level 80-90% seems pretty good, but is that good enough when you may be taking years from a persons life? In some cases, you could be taking their life. The case of Tim Coles is one the most prominent examples, both locally and nationally, of a person convicted on evidence that jurors thought was better than 90% accurate, but turned out to be 100% wrong. Further reading of the press release from Concordia shows that, once criminals become aware of this technique, 80-90% might be optimistic:

“Let’s say the anonymous email contains typos or grammatical mistakes, or is written entirely in lowercase letters,” says Fung. “We use those special characteristics to create a write-print. Using this method, we can even determine with a high degree of accuracy who wrote a given email, and infer the gender, nationality and education level of the author.”

So all I have to do to fool this system is to vary my writing style. Add intentionally misspell words in some emails, be meticulously correct in others. Make grammatical mistakes in some, not in others. Or just always make mistakes when using anonymous email that I don't usually make in my signed email.

Worse, given only 80-90% accuracy, how hard would it be for someone who receives a lot of email from me - or maybe even someone who reads this blog - to frame me using email? When it comes to criminal cases, 80-90% doesn't cut it.

Would you recognize a human-hacker?

Originally published 3/11/11 on

As much as we focus on computer viruses, trojans, vulnerabilities and exploits, they are not the biggest risk to security - online or off. The biggest risk is us. Books have been written about it, from Kevin Mitnick's classic "The Art of Deception: Controlling the Human Element of Security" to Christopher Hadnagy's latest, "Social Engineering: The Art of Human Hacking" the subject has been pretty thoroughly covered. But we don't have to space for that kind of detail, so we're going to look at a more succinct study, the Department of Homeland Security's pamphlet on elicitation, (pdf) the art of using ordinary conversation to coax out the information people want to keep secret. From the pamphlet:

In the espionage trade, elicitation is a technique frequently used by intelligence officers to subtly extract information about you, your work, and your colleagues.

Said another way, elicitation is the art of conversation honed by intelligence services to its finest edge.

Elicitation is nonthreatening, easy to disguise (and hard to prove) and it works. Why does it work? Because it's ordinary conversation, the type of thing we do all the time. Is that attractive person you just met so interested in your job because they want to get to know you, or because they're trying to find out something you know? That telemarketer that struck up a conversation with you yesterday - did you really tell him about your vacation plans next month? Just how did he get you to tell him that?

According to the DHS pamphlet the tools are something we all use to some degree:

Appeals to ego: "You must be really important. Everyone here seems to know you." You may respond with a denial, then talk about why what you do isn't really important.

Mutual interest: The person expresses an interest in something you're interested in and uses that to build a bond and increased trust.

Deliberate lies: "I've heard that..." A deliberate lie told knowing you know the truth. Most people have a strong desire to correct the mistake, and we all like to be part of the "in crowd" with insider knowledge.

Volunteering information: It's a simple trade. They give you something in hopes you will give them something. Sales people do this all the time, usually telling you that the price is about to go up, the offer is about to expire or their almost out and it's going to be weeks before they get more.  If it works, you buy whatever they're selling. For a scam artist, you give them your information, such as credit card numbers, name, address, and maybe even SS#.

Assumed knowledge: Just enough is said to give the impression of knowledge in an area so you'll discuss it.

As I read this list I thought about calls I'd received, both at work and at home, from telemarketers. Almost every one of these tools had been used against me in one form or another.  Then in the WalMart parking lot tonight another one was used on me, the appeal for help:

"Could you spare some change? I'm trying to get some food for me and my wife."

I've had my own answer to this type of appeal for years, "Come with me and I'll buy you some food." He said he was getting his wife, got in the passenger seat of a car a row over, and they left.

The DHS pamphlet is aimed at preventing espionage, but the same techniques are used by malware authors and conmen to build trust and encourage us to give them what they want. One reason these techniques are so effective is that they are the things we all do in the normal course of communicating with others. Try going through a day looking for the things you and the people you interact with do as you communicate. Then see if you can tell who is just making conversation and who is trying to get something from you.



It's easy to lose control of your creation online

Originally published 3/10/11 on

Noam Galai is a photographer who took some pictures of himself back in 2006 and posted them on Flickr. A few months later a friend mentions seeing his face on a t-shirt. He doesn't really believe her, but a couple of months later he's in a store and sees the shirt. The whole story is chronicled in blog post and 10 minute video interview by fstoppers titled "The Stolen Scream." It's a fascinating story, and seeing how far his image has travelled is amazing - and only one user payed him for it.

There are a lot of lessons here. The best may be Noam's reaction to this theft of his IP. He could have watermarked his images (he still doesn't). He could be sending lawyers after all of the companies using his image without permission. He's not - although he does admit that companies using his work without asking does bother him. But he's not bitter. He seems more amused than anything.

Another lesson, one pointed out by Lee, the fstoppers blogger, is that if we're honest, most of us have no right to point fingers at the people using Noams image without even acknowledging it's his. Most of us have downloaded music, or accepted a burned CD from a friend.

The last lesson, the title of this post, is that once you put something online you surrender control of that information to the world at large. So if you don't want the world to see something, don't post it online.

Facebook good and bad

Originally published 2/1/11 on

Facebook has become a centerpiece in many peoples lives, and that focus is showing in the stories generated by it's users. Here are some of the stories from the last few days:

A man in Rochester, NY, was stabbed by his girlfriend because of comments he made on Facebook. Wait, no, she stabbed him because he friended another woman.

Four teens in Naples, Fl are accused of making death threats on Facebook.

A doctor diagnosed a childs leukemia via Facebook.

A man in Columbia, Ill. is indicted for "enticing minors" on Facebook.

Facebook can be a boon or a bane. Be careful what you do there.


Suit opposing "nude scanners" will be heard Thursday

Originally published 3/8/11 on

The Threatlevel blog at reports that the lawsuit filed by the Electronic Privacy Information Center will be heard by the U.S. Court of Appeals. At issue are potential health problems and the effectiveness of the scanners. The scanners were pushed into service over the objections of privacy advocates as well as the questions on their usefulness from other government organizations, such as the Government Accountability Office (GAO).

I hope these scanners are removed from service, but I doubt they will be. Too much money has been spent, and someone would have to take the fall for the security blunder. Even when a terrorist gets past the scanner the TSA won't admit they're ineffective. The agency will say that the terrorists are a wiley bunch who came up with new tactics to circumvent our almost air-tight security. Never mind that the tactics have been used by smugglers to get contraband into and out of countries for centuries.

Suit opposing "nude scanners" will be heard Thursday

The Threatlevel blog at reports that the lawsuit filed by the Electronic Privacy Information Center will be heard by the U.S. Court of Appeals. At issue are potential health problems and the effectiveness of the scanners. The scanners were pushed into service over the objections of privacy advocates as well as the questions on their usefulness from other government organizations, such as the Government Accountability Office (GAO).

I hope these scanners are removed from service, but I doubt they will be. Too much money has been spent, and someone would have to take the fall for the security blunder. Even when a terrorist gets past the scanner the TSA won't admit they're ineffective. The agency will say that the terrorists are a wiley bunch who came up with new tactics to circumvent our almost air-tight security. Never mind that the tactics have been used by smugglers to get contraband into and out of countries for centuries.

Homeland Security sees the light. Or do they?

Originally published 3/7/11 on

Declan Mcullagh of CBS' Tech Talk blog reported that the Department of Homeland Security has extended the deadline for compliance with Real ID, the national ID passed by Congress in 2005, to 2013. Similar reports came from Fox News and CNN. This is good news to anyone who values privacy and recognizes that the Real ID initiative does much to make it easier to track citizens and little to actually stop terrorists.

But I don't know if the reports are true. I receive the press release feed from Homeland Security, and I never saw this release. Declan Mcullagh links to a pdf of the announcement at the Office of the Federal Register site, but the link is dead, and there is no other mention of the site. A search of the DHS website reveals no documents on Real ID mentioning an extension to 2013. 

If the deadline has been extended this is good news - but not really surprising. Several states have flatly refused to comply because of concerns over the initiative. Concerns go beyond privacy. The costs of implementing it are astronomical, the security benefits questionable, and the increase in the governments ability to probe into law abiding citizens lives unbelievable.  It was a bad idea with bad implementation from the start, and it needs to just go away.

Monday, July 25, 2011

Supreme Court: Corporate privacy does not trump Freedom of Information Act

Originally published 3/4/11 on

The Electronic Frontier Foundation (EFF) reports that the Supreme Court denied corporations the same privacy rights as individual citizens when the government is responding to Freedom of Information Act (FOIA) requests. This might seem like a no-brainer, but legally corporations are considered persons, so it was only a matter of time before a FOIA request came into conflict with a corporations 'personal' rights.

AT&T's lawyers argued that as a corporate citizen it was provided the same exemptions as a private citizen. A coalition of groups ranging from the EFF to the National Security Archive filed an Amicus brief explaining why corporations were not, and should not be, considered persons under FOIA. The Court obviously agreed with them. In agreeing with them, the Court picked apart the term "personal privacy," using definitions, precedents, and a little horse sense to overturn the lower courts decision. One of my favorite passages was the last paragraph of page 7 continuing onto page 8:

AT&T’s argument treats the term “personal privacy” assimply the sum of its two words: the privacy of a person.Under that view, the defined meaning of the noun “person,” or the asserted specialized legal meaning, takes on greater significance. But two words together may assume a more particular meaning than those words in isolation. We understand a golden cup to be a cup made of or resembling gold. A golden boy, on the other hand, is one who is charming, lucky, and talented. A golden opportunity is one not to be missed. “Personal” in the phrase “personal privacy” conveys more than just “of a person.” It suggests a type of privacy evocative of human concerns—not the sort usually associated with an entity like, say, AT&T.

The Supreme Court explains that the real meaning of a phrase can be more than the sum of it's parts, and shows that while a corporation may be a citizen on paper, it is not one in fact, and does not deserve the same privacy considerations as a living breathing person. They probably didn't need to go to all that trouble. As they explain, the FOIA already has protections for corporations. 

This was a good decision, and there was even some (perhaps ill advised) humor at the end. The concluding line of the decision said, "We trust that AT&T will not take it personally." While it seems obviously tongue in cheek to me, Lyle Denniston at the SCOTUSblog feels that the sentence contradicts the ruling. I would say he's just being contrary, but law is all about words, their meanings, and the way they're used in a document. That little joke could cause privacy advocates  and Supreme Court justices headaches in the future.

Apple, Trojans, and FUD

Originally published 3/1/11 on

People seem to really enjoy finding any type of malware for Mac OS. In the decade since Apple introduced OS X there have been a handful (barely) of malicious softwares introduced for it, but only one really had the potential to be serious. I wrote about OSX/Koobface.A because it was the first serious malware for OS X - or would have been if it hadn't been broken in porting it and never fixed.

Now we have Blackhole RAT, which is being hailed as a new trojan for MacOS - again, a piece of Malware that has been ported over from Windows.

But wait. What is Blackhole RAT? What does it do? By itself, Blackhole RAT is just another remote administration tool like VNC, Apple's Remote Desktop, or Microsofts Remote Desktop. Sure, it allows someone to take over your computer across a network, but so do a host of other tools. Blackhole RAT isn't, by itself, malware. It has to be installed - probably using a trojan. It's not a trojan itself, it would be the soldier inside the horse. In the computer world, that's usually referred to as the "payload." 

So should you be worried about Blackhole RAT on a Mac? I don't think so. Apple Remote Desktop is as much a concern. Before worrying about remote administration tools (RATs) you need to understand how many ways there are to install them on your system. On a Mac, the answer is, not many.

So why am I writing about a non-issue? Because so many reputable publications are, such as PCWorld and MacWorld. But they are spreading the FUD (Fear, Uncertainty and Doubt) rather than calm, reasoned information. Someone needs to be the voice of reason.

If you are concerned about malware, Sophos offers a free antivirus software for home use. But don't panic, the Mac universe is still relatively safe unless you're exploring the seamier side of the internet. If you're doing that, I hope you're already aware of the risks.

Maryland DoC responds to Facebook login uproar

Originally published 2/28/11 on

Tuesday I told you about the Maryland Dept. of Correction policy of asking applicants for their Facebook username and password. Later that day they issued the following statement:

"During the initial interview, or recertification processes, DPSCS does not require correctional officer applicants to provide any information related to social media. An applicant is asked if they are active users of social media. If so, the Department only asks if an applicant would provide this information. If any information is provided by an applicant, it is done so voluntarily. If an applicant does not provide this information, it is not held against them and the interview process moves forward.

The Department has a legitimate concern about the infiltration of gangs into our prison system. DPSCS' efforts to explore an applicant's behavior on social media networks is not done through a desire to invade personal privacy, rather it is an effort to make sure the safety and security of our staff and inmates inside our correctional institutions is not compromised.

However, in light of these concerns raised by the ACLU and because this is a newly emerging area in the law, the Department has suspended the process of asking for social media information for 45 days to review the procedure and to make sure it is being used consistently and appropriately."

It's good that they have suspended the policy. Hopefully a review will help them realize just how wrong requiring prospective employees to hand over their social media logins is.

TSA proves full body scanners unreliable

Originally published 2/25/11 on

Kyle VanHemert at Gizmodo reports that in what apparently was the TSA testing it's own procedures an undercover agent passed through the vaunted full body scanners with a gun multiple times- without triggering alarms or being stopped.

The full body scanners have been touted as absolutely necessary for the security of our airports and planes. Privacy advocates have been against these scanners from the moment plans to use them were announced. I've blogged about them in the past, including a past mistake the TSA claimed would never happen. These scanners are not the great shield the TSA claims they are. Instead, they are the emperors new clothes. The TSA has just proved it.

If the report is correct. The TSA isn't admitting anything, and no one has been disciplined. That doesn't really tell us anything. If it's true they can't admit it - that would reveal a serious breach in our security. If it's a lie, denying it will only reinforce the idea that they're hiding the truth. I wouldn't want to be John Pistole right now. But I'd hate worse to be him when a terrorist gets through the massive security hole that he is pretending he is a shield.

Microsoft embraces Kinect owners right to mod

Originally published 2/24/11 on

I've talked about Sony's sudden dislike of console modders and their lawsuit against George Hotz. Microsoft has apparently been watching, and sees an opportunity to steal marketshare from the PS3. Nicole Zivalich of G4TV reports that the Redmond giant is releasing a developers kit to make it easier for the fledgling Kinect modding movement to create PC software for the Xbox Kinect. With Sony pushing firmware "upgrades" that remove PS3 owners ability to create software for the PS3 and suing people who try to restore it, Microsofts apparent embracing of end users making their own software for the Kinect is almost certainly an olive branch designed to attract frustrated PS3 modders to the Xbox community.

Sony is using the DMCA to sue people who try to fully utilize hardware they have purchased (not leased or licensed) - an activity they only recently disabled by a firmware update pushed without owners knowledge or consent. Microsoft is embracing the hardware owners right to make full use of the hardware they purchased. I know where my families money is going for our next console purchase.

Google forgets "Do No Evil" slogan?

Originally published 2/23/11 on

A week or so ago I noticed a "Doodle-4-Google" contest asking for artwork from kids. I intended to go back later because I thought my kids might be interested, but got busy and forgot. Then today I see an article by Bob Bowden in the Huffington Post, "Why Has Google Been Collecting Kids' Social Security Numbers Under the Guise of an Art Contest?" It turns out that Google has been asking parents for information that could be used to guess their children's Social Security numbers.

Google has changed the entry form so that it just asks for the childs school and parents address. It originally asked for the childs city of birth and date of birth as well as the last four digits of their SS#. It's not widely known, but if you know the city of birth, date of birth, and last four of the SS# it is possible to guess with very high probability the first five digits of the SS#.

Why was Google asking for this information? It was hardly necessary to ask for any Social Security information for a children's art contest. When a letter was sent to Google asking about the legality of asking for children's SS#'s the entry form was rapidly changed. It's possible that Google simply hadn't thought about the legality of what they were doing, but I don't really believe that. If Google guessed the children's SS#'s and sold them they would make millions. Having a person's SS# gives you unprecedented access to their lives.

Bob noted that the contests privacy policy did nothing to protect privacy, saying:


At least the contest "privacy notice" is clear enough: "participation constitutes consent to the storage, use and disclosure of the Entrant's entry details...." It should really be called the "privacy waiver."


It has since been changed:


Privacy Notice. By participating in this Contest, you agree that Google can collect your personal information, and that if Google cannot collect the required data, you may not be eligible to participate in the Contest. Any personal information collected during the course of the Contest by Google will only be used for administering this Contest and for other purposes as outlined in these Rules, and will be subject to the practices described in the Google Privacy Policy located at You will have the right to access, review, rectify or cancel any personal data held by Google by writing to Google (Attention: Privacy Matters) at the Google address listed in Section 2.


When Google realized what it had done (or that it had been caught) it quickly fixed the problems. But this just underscores the fact that you should never fill out anything online (or anywhere) without reading the fine print and making sure you understand it. Especially if you are doing it for children.

Maryland Department of Correction requires new hires give Facebook login info

Originally published 2/21/11 on

Andrew Hoyle at CNet UK reports that the Maryland Division of Correction is is requiring new hires and recertifying employees to give full access to their Facebook accounts as part of the background checks. A recertifying employee, Robert Collins, is suing the Maryland DOC, saying their policy is intrusive and illegal under the US Stored Communications Act, as well as being against Facebook policies.

When Mr. Collins was being recertified he was told by an interviewer that he had to give his Facebook login information as part of the background check. The interviewer then logged into Collins Facebook account and made him wait while inspecting it.

The article closes with a question. Do you think that anything online should be fair game in background checks, especially if the job is legally sensitive? Or do you believe some things should private, regardless?

I think that demanding the Facebook login and using it to access the account is going too far. I can see the reasoning, but for many people Facebook is like their diary, just with more readers. Can an employer demand your diary?