May 12, 2008
An Interview With AOL's Chief Privacy Officer
I’m still digging out from my long weekend, but I see Kenneth Corbin, a colleague over at InternetNews.com has posted a lengthy interview with AOL’s chief privacy officer. One interesting excerpt:
“Q: So if legislation can’t keep up with the nuances of technological innovation, is there any room for some kind of a baseline privacy law on data collection?
“I think this is an area where we’re still trying to figure out exactly what people’s expectations are. I would often have debates with the guy who was the inventor of the Buddy List, and he always had different ideas about different promotional things that he wants to do, and I’d say ‘No! You can’t do this! You can’t do this! It’s got to be opt-in…’ And he’d say to me, ‘You know, if you were around when I did the Buddy List, you would have said ‘opt-in’. People downloading instant messaging software shouldn’t be able to see whether your friends are online.”
“And I probably would have been. Why should you — just because you know my screen name — be able to track whether I’m online or not? That’s outrageous! Opt people in. And he’s like, ‘That would have been the end of it, because the whole point of instant messaging is that I can ping you because I see that you’re online. There, you broke my product.’
“You can easily see a law that says you shouldn’t, by default, broadcast information about what you’re doing to all your social networking friends. Well, I kind of like that; I like being able to do it. If I wasn’t even aware of that business model when I was drafting legislation, who knows what I would have broken that people do indeed want and are now using to promote political candidates or using to fundraise or using to do all sorts of things?”
(Link)
Which reminds me …
When I worked at Indiana University the public VAX system had three personalities: You could use the limited menu system to do stuff like read your e-mail and other basic activities, you could edit a dot or config file of some kind and use the system from the command line, or you could opt for an unsanctioned third personality and install a collection of utilities that provided a bunch of functionality you might expect to turn up on a college campus.
The developer had painstakingly mapped the IP addresses of every public terminal on campus down to their room and position, and he had an idea of where a lot of staff terminals in non-public locations could be found. So you could use the utilities to pull up a directory of which utilities users were online in a given lab or room and get a map of where those users were seated. Then you could use the utilities to open a ‘talk’ session (or whatever it was called in VMS-land) with the user you’d mapped.
The map database was comprehensive, but it didn’t keep up with developments in the real world, so if a pair of machines were switched, or if a whole lab went in for servicing and got put back in different order, the map would break. The fallout from these breakages was mildly comical: I’d be sitting in some lab catching up on my mail and I’d get a talk banner on my terminal that read “That’s a sexy top you’re wearing … wanna meet?” or “You look really nice … I can tell because I’m looking at you RIGHT NOW.”
It was, after all, 1991, and a generation of maladjusted dorks had been raised on movies that suggested a mild display of super stalker powers via the computer would eventually lead them straight to Ally Sheedy’s heart.
Anyhow … the point:
Those utilities were really just a crude social overlay for a system that had all the bits and pieces it needed to do that kind of thing. To get them you needed to a. know about them, b. be willing to turn off the friendly and utilitarian menu system and c. run a script out of the maintainer’s account that installed the utilities in whatever passes for ~/.profile in VMS. And plenty of people did. They even did it knowing they were subjecting themselves to stuff like that terminal mapping app, which would probably go by “stalkr” if it were out and about on the campus network now.
The engineer in that excerpt above was, I suspect, dead wrong. Opt-in presence wouldn’t have “killed” IM because there really aren’t a lot of soft barriers like “click a box at install-time” or even “turn off the existing interface and install a new interface by running a shell script in some stranger’s VAX account” that will stop people from doing things like, you know, installing software that tells everyone on campus exactly where they’re sitting at any given moment they’re using a computer.
Posted by mhall at 5:36 PM | Add Comment
May 7, 2008
Reprise: Leopard vs. Vista on Security
Kenneth Van Wyk revisits the question of how relatively secure he feels on each platform and comes up with the same, if qualified, answer. I identify with a lot of what he’s saying because I’m also a Mac user by way of Unix/Linux. But there are a few points one might consider open to debate:
On software management he writes:
“Previously, I wrote, ‘Here’s where OS X really shines. Apple has improved on UNIX in this area. Although the standard UNIX utilities are still in /bin, /usr/bin, and such, Apple apps and most third party apps install in /Applications.
“This hasn’t changed much with Leopard and Vista. I still don’t feel I can remove a major application from a Windows system without leaving behind significant residue, be it directly in the file system in the form of remnant DLLs or in a registry hive somewhere that the uninstaller didn’t clean up.”
Not being a Windows person, anything to do with the registry makes me break out in hives, and its mere existence creates a sense of unease for me. I like everything kept down in simple, plain-text files I can read and modify, and where there’s less chance of breaking everything by breaking just one thing.
If I were more familiar with Windows, I might not feel that paranoid about the registry, and I know Windows people who fear and despise plain text configuration files — especially if the people who designed the file format for a given app decided to model it after the syntax of some obscure pet programming language instead of using simple “foo = bar” declaratives.
But if there’s an overall difference between Macs and Windows machines in this area, it stops at the registry vs. file question. App bundles on the Mac make it easy to keep an application from sprawling all over the place, and I’ve written tools for myself (and others, I guess … if we count voodoo2palmthat rely on AppleScript’s (path to me). It’s a handy way to keep everything tucked down in the bundle.
But nobody says it has to be that way. Developers are free to do what they will. I recently, for instance, had a copy of Adobe CS3 (the entire suite, not one app from it) decide it wasn’t registered or licensed. To make a long story short, even Adobe’s own cleaner script (a Python wrapper around “rm -rf”) didn’t get rid of everything it needed to get rid of to allow me to run the software again. That involved finding files Adobe’s tech support don’t even seem to know about (or are instructed not to tell customers about) and removing them, too.
Other apps spread junk around, as well. Cisco’s VPN client sticks bits of itself all over the place, for instance. Apple’s even been accused of violating its own guidelines for where to put files on a system now and then.
And once you drag that tidy app bundle into the trash, all that happens is that the app bundle is now in the trash. Nothing comes along and makes all the configuration files left behind (~/Library/Preferences, ~/Library/Application Support, to name two places to look) go away. That’s why people buy stuff like AppZapper.
You can also find threads on assorted Mac fora where people are told that files with no apparent connection to a problematic app are corrupt and need to be fixed. I got bit by this one about a month ago.
And it’s not like I’m all misty for Unix on this score, either:
caladan: mph$ make uninstall make: *** No rule to make target `uninstall'. Stop.
‘nuff said.
Well, not quite ‘nuff said. Don’t let my tangent keep you from reading the rest of what he has to say:
(Link)
Note: I’m off for the rest of the week. Blogging will resume on Monday. See you then!
Posted by mhall at 3:15 PM | Add Comment
May 6, 2008
Zeroshell and My Interop Security Hangover
Carla Schroder in the first of two parts on how to set up Zeroshell, a small Linux distro designed to provide encryption and security for your wireless network:
“Zeroshell is designed to run on small form-factor routerboards like PC Engines WRAP, Soekris, VIA, and Alix. It also runs from a CD, and you can install it to a hard drive. This is a good way to put older smaller hard drives back to work. The hard drive installation is a hack using the Compact Flash image, so it will take over your entire hard drive. Data, configurations, and logfiles go on a separate partition or a separate device, such as a USB drive.
“Zeroshell includes FreeRADIUS, the popular network authentication server. RADIUS (Remote Authentication Dial-In User Service; despite the name, it works for all networking) authentication is a good way to control access to your network, both wired and wireless. It provides a central authentication server that can operate with any number of network access points. Zeroshell makes it easier to set up good strong wireless authentication with FreeRADIUS. I’m assuming you already have at least one working WAP on your network, and either bridging or routing in place so your wireless clients can access network resources, and you want to add some real security.”
(Link)
Some tangential thoughts:
I remember when I set up my first WAP at home. It wasn’t the most convenient arrangement: A Linux server provided a shared printer, we had a Linux desktop, a Windows desktop and a Linux laptop. With WEP enabled on the WAP, the networked printer couldn’t talk to the Linux laptop, and Samba performance was dreadful.
So WEP got turned off and everything app on the laptop that didn’t provide some sort of encryption on its own went through an SSH tunnel. That was seven years ago or so, but I can still look at my muttrc to see the SSH tunneling stuff.
In general, I’ve treated every wireless network connection as a potentially hostile one since then. On my laptop, I’m careful to make sure my bookmarks for sensitive sites point to the SSL version, I make sure IMAP runs over SSL, etc. etc.
One thing I haven’t gotten around to doing has been just setting up some sort of VPN connection for myself on my home connection, so I can just reduce all that hassle to a single concern.
Last week at Interop, I was my usual careful self when I wasn’t working through the corporate VPN, but my laptop did briefly come up on an unencrypted network and I hadn’t shut down Pidgin. So it went through at least one sign-on sequence to several IM services in the clear.
I didn’t think much of it at the time, but I did go back to my room that night to do some work, where one of my AIM accounts did the whole “Someone has logged on to this account from another computer” thing.
I booted the other user off and promptly changed my passwords (all of which, I can happily report, had the benefit of not being like any of my other passwords), but it was a little stunning to realize that just a few moments of exposure and a single unencrypted sign-on had caused an account to be compromised. I’ve been acting like a paranoiac for years, but up until about five seconds after the moment that message came up telling me someone who wasn’t me was signed on to one of my accounts, I’d been guiltily thinking that maybe I was taking myself a bit too seriously.
So I got home on Thursday night, and by Friday at noon I’d set up my DD-WRT-based router to provide me with that VPN I’d been putting off.
Posted by mhall at 4:16 PM | Add Comment
May 2, 2008
Ripping Passwords With Your Friend John
Today over on ENP I ran a tutorial from Paul Rubens on how to use John the Ripper:
“As a network administrator, how do you know which users have chosen passwords that can quickly be guessed or discovered using a brute force or dictionary attack, and which have chosen secure ones? After all, you can’t tell just by inspecting the hashes.
“That’s where John the Ripper - or ‘John’ to its friends – comes in. John is a multi-platform open source tool for carrying out smart guesses, wordlist attacks with word mangling, and even brute force attacks, on password hashes. Its primary purpose is to detect weak Unix password, but, according to Solar Designer, John’s developer, ‘besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.’”
And here’s his conclusion:
“How you decide to use John is up to you. You may choose to run it on all the password hashes on your system regularly to get an idea of what proportion of your users’ passwords are insecure. You could then consider how you could change your password policies to reduce that proportion (perhaps by increasing the minimum length.) You may prefer to contact users with weak passwords and ask them to change them. Or you may decide that the problem warrants some sort of user education program to help them select more secure passwords that they can remember without having to write them down.”
I’ve worked in settings where the password requirements were pretty stringent, with software analyzing passwords as they were requested by users and looking out for typical ‘l33t substitutions users might try to make the password at least somewhat memorable. I hated it, too.
Something like John the Ripper might represent a decent compromise: Set a reasonable baseline policy (at least one number, at least one non-alphanumeric character) and do periodic audits to make sure the very weakest passwords that still survive those criteria are flagged.
On the other hand, I just had a frustrating e-mail volley with an admin over a password. It wasn’t that my proposed password wouldn’t have been tough to guess … it was gibberish. The problem was, it was mnemonically simple gibberish (if you’re me), so it was too easy to try to touch-type it in.
In the end, I got myself locked out of the thing the password was protecting (3-strike policy) and had to get the password reset. Then I got locked out again. So I used a password generator, told it to avoid dictionary words and fed it parameters in line with the password policy. It produced a difficult password I will probably not memorize before the timeout makes me set a new one, but there’s zero chance I’ll try to touch-type it in.
I went around hating that for about a day, then I just wrote it down on a 3x5 card, folded up the card, and stuck it in my wallet where it is both safe and accessible, even if you’re sitting in the press room at Interop, which I was quite a bit this past week.
All of which is to say “hard passwords did not kill me.” And that causes me to think that it’s sort of patronizing to imply that hard passwords are just too hard for normal folks to cope with. “Normal folks” can use 3x5 cards and ball point pens, same as I can. If there’s any real problem with passwords at this point, it’s probably that it’s too easy to get people to give them up, and even that seems to be improving.
(Link)
Posted by mhall at 5:22 PM | Add Comment
April 30, 2008
Mass Disappointment as Microsoft Fails to Let Big Brother in Through the USB Port
The Seattle Times reports on the sort of thing your favorite paranoiac is sure to go completely ape over:
“Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.
“The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
“The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.
“It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.
Well, crud … I was all set to go into total hysterics about a Top Secret Federa Windows Backdoor Program when Threat Level went and busted my bubble:
“In reality, COFEE doesn’t need a backdoor to operate. And it’s not a USB memory stick, although agents use a memory stick to run the tool on targeted machines.
“COFEE, according to forensic folk who have used it, is simply a suite of 150 bundled off-the-shelf forensic tools that run from a script. None of the tools are new or were created by Microsoft. Microsoft simply combined existing programs into a portable tool that can be used in the field before agents bring a computer back to their forensic lab.
“Microsoft wouldn’t disclose which tools are in the suite other than that they’re all publicly available, but a forensic expert told me that when he tested the product last year it included standard forensic products like Windows Forensic Toolchest (WFT) and RootkitRevealer.”
It’s maybe a little entertaining that Microsoft won’t tell people what’s in the suite, but then again, if you’re serious enough to care you can probably figure it out for yourself.
Posted by mhall at 4:21 PM | Add Comment
April 29, 2008
Your Chatty, Treasonous iPhone & Notes from Interop
Rich Mogull on his iPhone deciding it liked a stray network:
“Turns out I was connected to ‘tsunami’ which is a common default name on Cisco wireless gear. Like the Cisco gear in our community center, which just a week or so before I was playing with. And that got me thinking.
“Many of you probably connect to wireless networks with common names- like Linksys, 2WIRExx, tsunami, or whatever. In other words, either default networks, or names (like those used at conferences and airports) that are in common use or easy to find. But when you remember those on your iPhone (or computer for that sake), it only remembers the network ID (SSID), not that actual network!
“Your iPhone doesn’t know the difference between ‘tsunami’ in your community center, ‘tsunami’ in an office building, and ‘tsunami’ running on some bad guy’s laptop to see what naive fools will connect to it. When you trust a network you’re just trusting a name anyone can use, not something really unique to that network. Your iPhone will then connect to any network using that name.”
Seeing as how I’m sitting here in the press room at Interop and can count 10 wireless networks, several of which invoke the “interop” brand without any indication of whether they’re “official” or just the preserve of some smirking ponytail, wireless security is on my mind. The air is abuzz back at my hotel, too, where there are two networks named for the hotel and where the one for guests isn’t really labeled as such. The instructions the hotel gives don’t anticipate that condition, which strikes me as a glaring gap in the documentation for any publicly available network in 2008.
Elsewhere at Interop
I had a lot of chats with security companies today. Smaller players are happy with yesterday’s announcement that Cisco is cooperating with the Interface for Metadata Access Point (IF-MAP) specification because they sense the opportunity to operate in a standards-driven market. If the rotting corpse of NAC-the-marketing-initiative will fertilize the ground and make way for NAC-the-thing-everyone-just-does-same-as-any-other-basic-function, then I guess I’m glad the corpse has spent the last year stinking up the place.
I also had a briefing with a company that specializes in identifying which users on a network are the most egregious bandwidth hogs/goof-offs. They were pretty clear about their core users: HR departments who want to put together a list of abuses quickly and easily, and supervisors who want to gather enough evidence of misuse/overuse of the Internet in whatever form so they can go complain to HR in the first place.
Their approach differed from other companies I’ve talked to about user behavior modification. Some take an instructive approach, offering admins the chance to pop up windows telling an abusive user his or her behavior is in violation of some policy or another. This company just throttles targeted services and sites to the point they’re unusable, and lets users draw their own conclusions. Whatever conclusions they haven’t drawn by seeing HR people swooping down from their mountain caves waving sheaves of bandwidth consumption reports, anyhow.
My gut reaction to employee monitoring software is almost invariably negative. I’ve been put in the position of using that kind of software, and I didn’t like it. But a moment’s reflection usually causes me to reconsider. I don’t care about the software that much. I’m just bothered by certain management mentalities. How many HR departments are using this sort of thing to counsel employees, and how many are using it as simple ammo?
My own experience with a manager eager to deploy surveillance software was a poor one: She wanted a cudgel, and she didn’t want anyone knowing the software was in use so her cudgel would be that much more shocking when it was applied. I don’t think much of that kind of gotcha management.
Posted by mhall at 7:00 PM | Add Comment
April 28, 2008
Jobs.com Says Profiles Are Permanent
The Consumerist on an unfortunate situation between Jobs.com and someone who has found his information being used elsewhere:
"Dan is pissed because Jobs.com won't remove his name, email address, phone number, and home address from their servers. For reasons unknown, someone else set up a profile with his personal info on Jobs.com. When Dan contacted Jobs.com, they said that because they 'must account for all transactions and account histories' they couldn't delete the info. They also assured him that since he didn't have a resume posted, recruiters can't search or view his information. Dan feels Jobs.com internal 'requirements' shouldn't have any bearing on his right to privacy. What do you think?"
This summary isn't quite in sync with the transcript provided in the entry. It reads a little more clearly if you replace the second sentence with:
"For reasons unknown, someone else set up a profile with his personal info from Jobs.com."
Dan apparently set up a Jobs.com profile at some point, then found that the information he provided there was being put to use elsewhere. Whether by one of Jobs.com's "partners," a ubiquitous out in a lot of privacy policies, or by someone who just came along and scraped the information, is unclear.
Now, Dan's unhappy that his profile is being scraped/reused/whatever, and he wants Jobs.com to take it down. Jobs.com is acting about like Facebook was acting a few months ago, before the New York Times came along and took up the cause.
If Jobs.com truly does have to keep information around in perpetuity, it seems to me that its engineers should figure out how to keep a record in the database while making it unavailable for public consumption. That's the very least Jobs.com can do, and it's still inadequate. "Adequate" would involve a records log that sits independent of the active user database.
The answer for "Dan," however, is one Consumerist readers have already suggested: He needs to overwrite his profile with information that effectively decouples his profile from his personal identity. Even if he can't completely z out the profile, he can make it less harmful to his privacy.
(Link)
Posted by mhall at 2:52 PM | Add Comment
April 24, 2008
.arpa, .org and .uk Soon to Go DNSSEC
Huh:
“ICANN officials said the organization plans to add DNSSEC to its .arpa Internet domain servers, and that the .org domain servers (run by PIR) as well as the .uk servers also will go DNSSEC soon. Country domains .swe (Sweden), .br (Brazil), and .bg (Bulgaria ) already run the secure version of DNS for their domain servers.
“DNSSEC, which stands for DNS Security Extensions, digitally signs DNS records so that DNS responses are validated as legitimate and not hacked or tampered with. That ensures users don’t get sent to phishing sites, for example, when requesting a legitimate Website. DNS security increasingly has become a concern, with DNS prone to these so-called cache poisoning attacks, as well as distributed denial-of-service (DDOS) attacks like the one last year that temporarily crippled two of the Internet’s 13 DNS root servers. (See DNS Attack: Only a Warning Shot?, DNS Attack: Possible Botnet Sales Pitch , and DNS Servers in Harm’s Way.)
“But DNSSEC adoption has been slow in coming, mainly due the complexity of managing the keys. Converting .arpa — a domain mostly relegated to Internet research sites — to DNSSEC isn’t quite the same as securing .com, but it could signal that DNSSEC is finally ready for prime time, experts say. Still, DNSSEC isn’t completely useful unless all domains have deployed it.
“ICANN says its latest DNSSEC move doesn’t signal an all-out move to DNSSEC, but it’s a start. ‘Every time another top-level domain signs on, that’s progress,’ says Richard Lamb, an engineer with ICANN who helped build its DNSSEC testbed. ‘Whether it means the DNS root servers [will go DNSSEC] in the near future, I don’t know.’”
Charlie’s also worth reading on DNSSEC in general:
(Link)
Posted by mhall at 8:40 PM | Add Comment
April 22, 2008
XSS Watch, PA Primary Special Edition
“XSS Watch - Inaugural and Probably Last Edition,” more likely, but it’s primary day and I’m all out of red, white and blue bunting clip art.
Anyhow, a hacker found an exploit in the Obama campaign’s Web site and used it to send visitors to Hillary Clinton’s.
Netcraft’s Paul Mutton has some information on what appears to have been a prank.
Someone claiming to be the hacker posted a community blog entry on the Obama site claiming that he or she used a common cross-site scripting exploit to pull off the redirects.
CNET’s Elinor Mills says an e-mail sent to CNET late last night from someone claiming to be the hacker read: “this exploit was not at all politically motivated, and it was simply an immature prank meant purely for fun. Senator Clinton had no hand whatsoever.”
Except we all know that Senator Clinton is totally elite!
Xssed has more details on the exploit itself.
If that’s not enough political stuff for you, go play with Google’s election map, which is explained in a little detail over at the Official Google Blog.
Posted by mhall at 6:50 PM | Add Comment
April 21, 2008
URL Typo Correction Services Kill
ISPs eager to monetize their users’ mistyped URLs are setting them up for trouble as the servers that handle the typo correction prove vulnerable to assorted attacks.
Being an OpenDNS user, I haven’t noticed whether my particular ISP does this or not. I’d guess it doesn’t, just because it’s pretty hands-off. If yours is, maybe OpenDNS is an alternative to consider.
“That fat-fingered URL could result in more than just a page error: Major broadband ISPs such Earthlink, Comcast, and Verizon, are running advertising servers that capture such error traffic, but these servers are also are putting major Websites as well as their visitors at risk of cross-site scripting (XSS) and other attacks, according to researchers.
“Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a ‘Provider-in-the Middle Attack’ or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server — in the demo, an Earthlink ad server — that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.
“Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. ‘They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way… I don’t think the [security problem] is intentional. No one set out to make the Web less secure,’ Kaminsky says.
“But that’s just what this arrangement has done, he says. ISPs are working with error-resolution services, such as Barefruit, that help squeeze ad revenue out of URL typos so that when a user mistypes www.facebook.com, for example, his ISP sends him to a URL that’s an available subdomain of Facebook that contains ads for alternative sites to Facebook on the page, for instance. ‘They say [to the ISP]: ‘You deploy this box, and we’ll dynamically register and create these records when a user mistypes something,” Kaminsky says.”
(Link)
Previously:
Posted by mhall at 6:29 PM | Add Comment
