Menu

Michael Gracie

(Re)introducing Brian Krebs

I’ve been following the Washington Post’s Security Fix blog since the Spamroll days. Its author, Brian Krebs, was one of the most insightful internet security journalists around. He still is, only he isn’t working for WaPo anymore. Brian’s now doing his own thing, at Krebs on Security.

December 29th was the (re)start date, meaning you can still get caught up. And with internet privacy and security perpetually at the forefront of issues net-denizens face (even if they don’t know it until their identity is stolen), I suggest you do. Get caught up that is.

Krebs on Security…stuff the RSS feed in your reader before it’s too late.

MG signing off (to stay secure)

Google CEO channels Houston police chief

Google CEO Eric Schmidt on privacy:

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

The if you’re not doing anything wrong meme rears it’s ugly head once again, only this time it’s the CEO of a company who’s business relies on the accumulation of data (albeit not all of it is personal). Last time I heard the line it was coming out of a Houston police chief’s mouth, while trying to justify the installation of surveillance cameras in people’s bedrooms.

Taking into consideration the rumors of Mr. Schmidt’s open marriage, why does this all seem so ironic?

UPDATE: Bruce Scheier reacts.

Practice diligence to avoid fear of the web

Eduardo Porter of the New York Times:

A few months ago, I nervously created my first Facebook page with the minimum necessary information to view pictures posted by old friends.

I returned to the page a few days later to discover that somehow it had found out both the name of my college and my graduation class, displaying them under my name. I have not returned since. In the back of my mind, I fear a 28-year-old hacker and a couple of Russians have gathered two more facts about me that I would rather they didn’t have. And it’s way too late to take my life offline.

There is no doubt that Facebook knows a lot about you. Me too, and I’ve only been on it a few weeks.

I’ve spent my time configuring my profile with an eye to keep my friends protected – plenty of lists with different access rights, for business and pleasure, and I’ve taken to ignoring most apps (with particular emphasis on polls and the like). While it is but simple diligence, I’m pretty sure it will do the trick just fine for “marketing threats.” But only time will tell. If you are still running around the web like a chicken with its head cut off, you might also want to bookmark this free educational resource from Verisign on how to stay safe on the web. There’s a hefty section on social networks within.

As for Facebook itself having all that data at its disposal, well that is the price you pay. But you never know when someone might cook up a solution for that too.

The Conficker April Fool

Tomorrow is April Fools Day. There will be plenty of jokes played, and many people bamboozled. Be ready, and believe nothing you hear. Well, almost nothing.

The Conficker worm (a.k.a Downup, Downadup and Kido), is a nasty piece of computer malware that has been on the move (i.e. spreading) since late last year, infecting Windows machines far and wide. It calls out to website domains, looking for payloads, and utilizes encryption/signing technology (to prevent its little gifts from being hijacked) which is some of the most sophisticated around. It connects around like your internet browser does (via HTTP), and on April 1st one of its variants is going to massively expand the size of it’s seek-and-infect scope. That may create some network congestion.

But other than the possibility of being infected, there’s actually not a heck of a lot more to say about Conficker (except that if your at-work Facebook browsing gets slow on Wednesday, you may want to just keep mum about it). Microsoft, ICANN, Verisign and many others have been working on the problem for more than a month. Further, Microsoft released a patch for the vulnerability the virus exploits back in October, before Conficker was released. So if you’ve kept your system updated, you probably don’t have much to worry about anyway. That is, unless, you’re CBS’s 60 Minutes.

But what’s the real joke of all this? Well it’s not that Conficker isn’t actually doing anything right now – it’s just waiting for further instructions. Meanwhile researchers are working diligently on solutions. No, what’s hilarious is that there is an entirely different threat lingering – one that has received much less attention, and could potentially be much much more damaging.

Researchers are calling it GhostNet, and it’s already stolen vast amounts of data from government and private offices around the world. It ran completely undetected until the office of the Dalai Lama suspected foul play, and asked Toronto researchers to investigate. Some are blaming the Chinese, but they are denying all.

By the way, GhostNet, which runs via another piece of malware called gh0st RAT (RAT stands for ‘Remote Access Tool’), isn’t waiting around for instructions; it’s still digging away. I conclude that the media is steering info-tech security priorities in the wrong direction – generating fear for headlines belays no crisis.

Within a few years, every bit of data on every computer on the planet will be encrypted. And every bit of data circulated the web (including email, instant messaging, and even select portions of the web sites you view daily) will be encrypted. Dig all you want, boogieman.

“What they can’t read won’t hurt you.” – MG 3/31/09

Facebook’s problem is dissociative identity disorder (UPDATED)

A few days ago, the Consumerist kicked up quite a stir when it uncovered how a relatively small tweak to Facebook’s terms of service essentially negated any rights users might have had to permanently remove their content from the social site. Soon after, the apologists and site management attempted to discredit and/or ‘explain away’ the situation, notwithstanding the fact that Facebook ostensibly ambushed its users. The key issue is whether Facebook should have access to your data after you delete your account, and the given explanation for why they need it is so all the messages, notes, tags (and poop) flying around the site aren’t dislocated by one person deciding to remove theirs. It’s a “two-message system,” says CEO Mark Zuckerberg, and there’s nothing you can do about it (including quit).

I’ve heard more than a few people cry bloody murder when ‘colorful’ pictures of themselves showed up on Facebook, kindly tagged to them by their friends. They applied for a job, and their prospective employer now knows they enjoy a little weed, or a little too much drink – they are passed over before anything can get scrubbed. In addition, I’ve absorbed first-person accounts of folks fighting with the same friends to delete mentions of their childrens’ names and photos, citing the fact they themselves don’t mention that particular subject matter on their own Facebook pages. Incredulity reins supreme, and real-world friendships are weakened as a result. And this is supposed to be fun?

Still, some folks opine that the best way to protect your identity on social networks is to sign up for them – a completely ludicrous proposition. All creating a legitimate account is going to do is provide a clearly defined target for the above described hassles. The only real benefit of such action is it protects your real world friends from getting scammed by the fake you, of which there may be a few lurking around already looking for a helping hand. Personally, I love my friends and family, and thankfully they take responsibility for their own actions so I don’t have to.

As for the idea that your privacy has already been deemed null and void at the hands of the internet, I say bunk. Consider this – you share personal information all over the web. That information lies on many disparate sites, mixed together with other information from many other users. Even Google can’t sort through and precisely collate that data with you – that’s why they’re trying Friend Connect. Someone looking carefully and specifically for you might be able to correlate this information, but it’s a time consuming task (and not necessarily free either). Conversely, if you share all that data on a single site, anyone looking for trouble can easily find you – even Facebook admits they’ve spent a lot of time and effort refining their own search algorithms to make it so.

In a perfect world, everyone would understand exactly how to tweak their Facebook privacy settings for optimum safety. Unfortunately, we don’t live in that perfect world – if we did users might have thought about reading the terms of service before they socked themselves into this mess. And let’s face it – it sounds like work. We’ll ignore the fact that people are actually trusting a service whose genesis was possible theft. Gloss over attempts to infringe on user privacy – in particular the failed Beacon, with its omniscience regarding your everyday purchases. Disregard that it takes days to permanently delete an account. Users signed up in droves anyway.

Coming on the heels of the announcement that Facebook plans to make money by selling user data, I’m wholly unsurprised by this move. Bailing users breaking all those links (and the associative information they convey) would be like breaking the bank.

Now you’re supposed to just trust them?

Good luck with that.

(more…)

Is “1984” required reading at Apple headquarters?

Apple LocationThe next operating system release from Apple, Snow Leopard, is going to include the CoreLocation framework already available for iPhone developers. And…

Since Macs don’t include GPS technology like the iPhone 3G, CoreLocation will utilize a Mac’s existing networking hardware to triangulate the system’s location in a manner similar to the way the original iPhone was able to use the technology to emulate a true global positioning signal.

This may all seem very interesting to those who don’t mind strangers knowing where they are 24/7, but for those of us who value our liberty, we’d rather not have this stuff as default.

No, there is no tinfoil hat here. This is a choice issue – the first of which is the choice to NOT use an iPhone and NOT use mobile maps (unless they are installed resident in my phone’s memory) because I really don’t care to have corporate behemoths knowing where I’m at and where I’m going all the time (and that goes for Apple, Google, and my mobile carrier). Unless the CoreLocation services can be easily disabled, you’re going to have to scrutinize every app you install on your Mac for the access, or not use your networking hardware if you enjoy piece of mind.

I’m personally not willing to deal with the privacy hassles – unless the services can be removed, Leopard is going to be the last Apple operating system upgrade I ever employ.

RELATED: A reaction to reactions on Google Latitude. Hard to have a problem with something that is opt-in.

No firetrucks will arrive as online privacy battle heats up

To get people thinking about the related issues, Marshall Kirkpatrick has put together a list of questions well worth asking, and discussing. It is indeed timely.

Online social networking is already on fire, but there is a price to be paid as well – mashups galore are making it ever easier to get the data you want, as well as enable people to acquire data on you. I find it amusing that users scream when their Facebook accounts are disabled because they tried to mine some of the data within, but in the Scoble case and many others just face the facts – all those people you think are your friends aren’t really your friends. The majority of the people on that “friends list” won’t ever ask you out for a drink, help you move, or read your business plan, and they certainly don’t want you taking their email address to another site so that service can spam them with invitations to join the next best thing. I’m no particular fan of Facebook, but I can’t help but give them a thumbs up here. The myriad of user privacy settings they offer are there for a reason, to prevent pseudo-friends from taking users’ data while they are attempting to grab their own.

It’s a quandary for many internet users. The fact that some join and befriend in the first place makes them particularly vulnerable. It won’t be long before the type of intrusion exemplified by Robert Scoble/Facebook is going on undetected – its centralization makes it low hanging fruit. Meanwhile we’ve moved beyond the average person’s grasp of privacy – it no longer exists – the best one can hope is that the information available about them isn’t ultimately damaging.

No fire truck is going to arrive to help you if it is.

UPDATE: If the risk of all that social networking data floating around isn’t bad enough already, you can always worry about your ISP doing the mining.

UPDATE 2: Regarding the Scoble/Facebook drama, Paul Buchheit wonders: Why aren’t Gmail, Yahoo! Mail, and Hotmail blocking Facebook? Another good question, and with TOS excerpts to boot!

RIP Facebook?

From Josh Quittner:

A lot of people say that Facebook has jumped the shark. That’s flat out wrong. In fact, Facebook is now being devoured by the shark. There’s so much blood in the water, it’s attracting other sharks. And if Facebook’s not careful, one of them is bound to come along and finish it off. I’ve never seen anything like it in the annals of fast-rising tech companies that fail.

It seems like the people that are most upset about Bacon Bits are the same folks that have been shilling for the company with reckless abandon.

UPDATE: Adam Ostrow confirms (as was suggested above) that the majority of Facebook users don’t even know what Beacon is. I’m not sure whether that is actually good news or bad news for Facebook, but a recent update on Mashable also alerted to the fact that the company has capitulated on the privacy aspects anyway.

UPDATE 2: Hold the presses – Om Malik gets a word in edgewise:

So essentially he’s saying the information transmitted won’t be stored but will perhaps be interpreted. Will this happen in real time? If that is the case, then the advertising “optimization” that results from “transmissions” is going to continue. Right!

Duly (and repeatedly) noted.

UPDATE 3: Does this mean the Quittner quote is memorialized?

Facebook Caves, Changes Coming to Beacon (at least until things cool off)

I’d call this “stealthy postponement“:

While it falls short of the global opt-out feature that our readers seemed to think Facebook would announce in today’s poll, this seems like a reasonable change that will make Beacon much more transparent. On the other hand, as Beacon adds more partners, being notified of all of these actions each time you login to Facebook could be a huge nuisance.

Beyond the obvious aggravation already pointed out, does anyone really think that the data isn’t going to continue to be actively collected for some future re-release? Or simply for sale to the highest bidder?

Alley Insider translated the Facebook PR (it’s rated-F, as in not for the Facebook Fanboy). Peter Kafka added this:

But! Facebook continues to apply a creepy double-standard about information. It’s more than happy to share your personal data with friends and/or advertisers, but it remains fetishistic about its own privacy: The WSJ reports that Facebook is trying to force Harvard alumni magazine 02138 to take down court documents it published alongside a story about the legal battle over Facebook’s origins.

The docs, which have been republished by Valleywag and others, make Facebook founder Mark Zuckerberg come off like a nasty, scheming jackass.

Like I said…stealthy postponement.

UPDATE: Computer Associate’s security team confirms what instincts could have told you.

UPDATE 2: Jay Goldman deconstructs the offending code (and provides resources for blocking it).

UPDATE 3: Of course they do.

Intel Official: Say Goodbye to Privacy

I think Donald Kerr is correct on the first bit, and naive on the latter:

“Privacy no longer can mean anonymity. Instead, it should mean that government and businesses properly safeguards people’s private communications and financial information.”

Anonymity has always been a tool for ill means. But, the government is hardly capable of safeguarding people’s communications, and big companies will hide behind their terms of service (and their lobbying efforts). In other words, there are zero remedies for the little guy.

Everyone loses, but I’d say those hardest hit will be the ones who entrust their data to online services; that data doesn’t need to be actively “intercepted” – instead it’s just mined at will. The winners might be companies like PGP, as well as anyone manufacturing large, portable data storage devices.

UPDATE: Tim Lee‘s take.