In the Bits blog Nick Boltin reports on the Facebook bug that exposed private chats to public scrutiny. Facebook claims the bug was only live a few hours, and has shut down chat until the bug can be fixed (perhaps by the time you read this). This can't help Facebooks reputation in the eyes of the Electronic Frontier Foundation or Senator Charles Schumer (D, NY). Senator Schumer is one of the Senators calling on the FTC to craft privacy guidelines for social networks.
I'm not sure this was really an accident. Yes, I'm being paranoid and cynical, but the Facebook business model is to push for users to make everything public. I wouldn't be surprised if this was a 'live test' to see what kind of reaction results from this "bug".
Showing posts with label Browser. Show all posts
Showing posts with label Browser. Show all posts
Thursday, May 6, 2010
Wednesday, April 21, 2010
Message to Google: Respect our citizens privacy
In a story published in the Avalanche-Journal, Barbara Ortutay, AP technology writer reports that 10 nations have written a joint letter to Google CEO Eric Schmidt expressing their concern over the way Google Buzz and Google Streetview handle privacy.
It's good to see that the privacy of citizens is important to their governments. It's sad that the US wasn't represented, but we don't have a privacy commissioner, and anyone who's been paying even mediocre attention to the news for the last 5 years should know that US government isn't exactly worried about citizens privacy.
The letter pulled no punches, saying in part:
The other service being referred to was, of course, Google Streetview. Google streetview has been plagued with privacy issues such as pictures of the interior of houses, backyards behind privacy fences, and unobscured pictures of peoples faces without permission.
The commissioners expressed concern that Google was making it a standard business practice to roll out new services without adequate planning and privacy protections:
I only wish we could convince the US government of the importance of the citizens right to privacy. If we all contact our congressman and tell them, maybe we can.
The text of the letter is here.
It's good to see that the privacy of citizens is important to their governments. It's sad that the US wasn't represented, but we don't have a privacy commissioner, and anyone who's been paying even mediocre attention to the news for the last 5 years should know that US government isn't exactly worried about citizens privacy.
The letter pulled no punches, saying in part:
"However, we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services."
The other service being referred to was, of course, Google Streetview. Google streetview has been plagued with privacy issues such as pictures of the interior of houses, backyards behind privacy fences, and unobscured pictures of peoples faces without permission.
The commissioners expressed concern that Google was making it a standard business practice to roll out new services without adequate planning and privacy protections:
"It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world."
I only wish we could convince the US government of the importance of the citizens right to privacy. If we all contact our congressman and tell them, maybe we can.
The text of the letter is here.
Thursday, March 11, 2010
Ford: First Online Road Devices
Or maybe First Online Road Death? That last is a little unlikely, but in the realm of possibility. Ford is bringing a new meaning to "mobile device," and adding to the list of web-enabled devices. With Microsoft, Ford developed Sync and started putting it in some Ford vehicles in 2008. Sync allows you to connect bluetooth phones or USB devices like MP3 players to your car and control them with voice commands. It's a really neat bit of technology, but Ford wasn't satisfied to rest on their laurels.
Kevin Spiess report on Neoseeker.com, "Ford to use Windows CE in some 2011 models." With the functionality of a full OS, Sync will become more powerful, offer more control options, and will provide wifi connectivity for web browsing when parked. As delivered from the factory the web browsing will only work when the vehicle is in park, but I figure about 2 weeks (or less) after the first wifi enabled Ford is delivered there will be a way to activate browsing while driving.
But as surprising and innovative as wifi enabling a car may be, what is more impressive is that Ford is thinking about security long before implementing wifi in the cars - both to protect users data and to protect the system from malware that might endanger the car and it's occupants. That's important since connectivity will include social networks and other high risk locales.
The security features are pretty decent. A hardware firewall between the engine computer and the entertainment computer is one nice thing. They can't totally separate the two because they need to share things like GPS data and highway speed, to name a couple of things. To help protect from malware Sync will only accept software from Ford, and it won't allow installation through the wifi connection. There are other features to keep your data safe in your car.
And the security doesn't just cover electronic assets. There are features that will make Ford vehicles with Sync unattractive to thieves, too. Engine immobilizer keeps the engine from turning over unless a coded key is used, and a keycode allows the car to be opened even if the keyfob is left in the car.
Ford is taking a lead position in bringing the automobile to the internet, and vice-versa. It will be interesting to see where this trend goes over the next few years.
Kevin Spiess report on Neoseeker.com, "Ford to use Windows CE in some 2011 models." With the functionality of a full OS, Sync will become more powerful, offer more control options, and will provide wifi connectivity for web browsing when parked. As delivered from the factory the web browsing will only work when the vehicle is in park, but I figure about 2 weeks (or less) after the first wifi enabled Ford is delivered there will be a way to activate browsing while driving.
But as surprising and innovative as wifi enabling a car may be, what is more impressive is that Ford is thinking about security long before implementing wifi in the cars - both to protect users data and to protect the system from malware that might endanger the car and it's occupants. That's important since connectivity will include social networks and other high risk locales.
The security features are pretty decent. A hardware firewall between the engine computer and the entertainment computer is one nice thing. They can't totally separate the two because they need to share things like GPS data and highway speed, to name a couple of things. To help protect from malware Sync will only accept software from Ford, and it won't allow installation through the wifi connection. There are other features to keep your data safe in your car.
And the security doesn't just cover electronic assets. There are features that will make Ford vehicles with Sync unattractive to thieves, too. Engine immobilizer keeps the engine from turning over unless a coded key is used, and a keycode allows the car to be opened even if the keyfob is left in the car.
Ford is taking a lead position in bringing the automobile to the internet, and vice-versa. It will be interesting to see where this trend goes over the next few years.
Thursday, February 25, 2010
More fallout from PlainsCapital vs Hillary Machinery
Last week Hillary Machinery filed it's counter to PlainsCapitals lawsuit. The PlainsCapital suit seeks nothing from Hillary (other than legal fees and court costs), but wants a judge to rule that PlainsCapitals security measures were commercially reasonable at the time of the bogus transfers. Hillary is seeking the return of the unrecovered monies and legal costs.
Most of the security community, or the most of the portion making their opinion known, seem to believe Hillary is in the right. But not everyone is ready to pick a side just yet. Benjamin Wright, an expert in data security and cyber investigations law has pointed out in his blog that we only have Hillary's side of things, so until PlainsCapital has it's say, any conclusions we come to are speculation.
But as things have developed, PlainsCapital's say may be too little, too late. Hillary has not stood still and has not played the quiet game. They have told their story loudly to anyone willing to listen, and it is a compelling story. Even if PlainsCapital had security measures in place that Hillary hasn't mentioned, the Banks reputation has been tarnished, and this incident will probably pop up when least expected for years to come. And regardless of who wins, both litigants will probably both find the way they handle financial transfers changed forever when this is over, because real fallout from this whole event is not going to hit just PlainsCapital or Hillary Machinery. It could change the way banks do business, and that will affect anyone who deals with banks.
DarkReading.com reports that at next weeks RSA Security conference Authentify, Inc. (who are consulting with Hillary) will be asking security professionals to sign a petition to Congress in an effort to force banks to establish better security for business customers. I don't think anyone wants more government regulation, but the fact is that what happened to Hillary Machinery and PlainsCapital isn't unique, or even unusual, even if the lawsuit is. Apparently small and medium size banks haven't done anything to correct the situation. With the attention of Washington being called to it, the government probably will.
Most of the security community, or the most of the portion making their opinion known, seem to believe Hillary is in the right. But not everyone is ready to pick a side just yet. Benjamin Wright, an expert in data security and cyber investigations law has pointed out in his blog that we only have Hillary's side of things, so until PlainsCapital has it's say, any conclusions we come to are speculation.
But as things have developed, PlainsCapital's say may be too little, too late. Hillary has not stood still and has not played the quiet game. They have told their story loudly to anyone willing to listen, and it is a compelling story. Even if PlainsCapital had security measures in place that Hillary hasn't mentioned, the Banks reputation has been tarnished, and this incident will probably pop up when least expected for years to come. And regardless of who wins, both litigants will probably both find the way they handle financial transfers changed forever when this is over, because real fallout from this whole event is not going to hit just PlainsCapital or Hillary Machinery. It could change the way banks do business, and that will affect anyone who deals with banks.
DarkReading.com reports that at next weeks RSA Security conference Authentify, Inc. (who are consulting with Hillary) will be asking security professionals to sign a petition to Congress in an effort to force banks to establish better security for business customers. I don't think anyone wants more government regulation, but the fact is that what happened to Hillary Machinery and PlainsCapital isn't unique, or even unusual, even if the lawsuit is. Apparently small and medium size banks haven't done anything to correct the situation. With the attention of Washington being called to it, the government probably will.
Saturday, January 30, 2010
Lot-o-links: Articles on Facebook, Google, Supreme Court and more
From Businessweek: New EU Privacy Laws Could Hit Facebook - Mark Zuckerbergs mouth paints a target on Facebook
Exchangemag.com: Google Social Search Hits Privacy Snag on Facebook - Maybe Facebooks privacy settings are better than we thought.
Mediapost.com: Google Scores Partial Victory In Street View Lawsuit - Google streetview photographing view of house ok. Entering private drive to do it, not so much.
U.S. News: Should Supreme Court Uphold the Quon Case on Worker Privacy? Should workers expect email and other electronic communication on company equipment be private? Take the poll.
PCWorld.com: EFF:Browsers Can Leave a Unique Trail on the Web - Find out how much information your browser gives without even being asked. With suggestions on how to obscure your trail.
RDMag.com: How Can Policymakers Promote Innovation and Strengthen Privacy? - Policy always lags behind technology, trick is protecting privacy without stifling innovation.
Hope you find the reading interesting.
Exchangemag.com: Google Social Search Hits Privacy Snag on Facebook - Maybe Facebooks privacy settings are better than we thought.
Mediapost.com: Google Scores Partial Victory In Street View Lawsuit - Google streetview photographing view of house ok. Entering private drive to do it, not so much.
U.S. News: Should Supreme Court Uphold the Quon Case on Worker Privacy? Should workers expect email and other electronic communication on company equipment be private? Take the poll.
PCWorld.com: EFF:Browsers Can Leave a Unique Trail on the Web - Find out how much information your browser gives without even being asked. With suggestions on how to obscure your trail.
RDMag.com: How Can Policymakers Promote Innovation and Strengthen Privacy? - Policy always lags behind technology, trick is protecting privacy without stifling innovation.
Hope you find the reading interesting.
Thursday, January 28, 2010
TOR cracked to catch child pornographers
Tuesday I wrote about TOR, The Onion Router. Wednesday in ZDNets "Zero Day" blog I read about a TOR server patch written for the purpose of catching child pornographers. Not just to the geographic location they are operating from, but to the computer they are working at. A worthy endeavor. But since the author, HD Moore of Metasploit fame, is releasing the source code, modified versions of the patch can be created to track anyone using TOR. This means TOR as a standalone item has become useless for protecting people who need protecting, i.e. human rights activists in oppressive countries, journalists and police under cover, and anyone with a legitimate need to keep their location hidden.
Moore (arguably) had good reason to do this. In Germany, at least, TOR is being heavily used, or is suspected of being heavily used, to traffic in child pornography, and the German authorities have been cracking down on TOR servers. But is the possible benefit in one admittedly important area worth the cost in several other important areas?
But there is an alternative the the TOR package by itself. It is also cross platform, and free. It will run on Intel Macs, Windows, and Linux. It is called JanusVM and runs in a virtual machine. It plugs the holes used by Moore's patch, and keeps your location obscured. From the Janus website:
JanusVM is free, cross platform, and can take a little more setup than the basic TOR package, depending on how your network is setup. But if you need anonymity online, it's the best thing going now.
Moore (arguably) had good reason to do this. In Germany, at least, TOR is being heavily used, or is suspected of being heavily used, to traffic in child pornography, and the German authorities have been cracking down on TOR servers. But is the possible benefit in one admittedly important area worth the cost in several other important areas?
But there is an alternative the the TOR package by itself. It is also cross platform, and free. It will run on Intel Macs, Windows, and Linux. It is called JanusVM and runs in a virtual machine. It plugs the holes used by Moore's patch, and keeps your location obscured. From the Janus website:
JanusVM is powered by VMware, built on the Linux 2.6.14 kernel, and brings together openVPN, Squid, Privoxy, and Tor, to give you a transparent layer of security and privacy that is compatible with all your TCP based applications. DNS request are also passed through Tor so even your ISP doesn't know what web site you are looking at.
JanusVM is free, cross platform, and can take a little more setup than the basic TOR package, depending on how your network is setup. But if you need anonymity online, it's the best thing going now.
Subscribe to:
Posts (Atom)