« February 2008 | Main | April 2008 »
March 31, 2008
Vista Compromised to Get at a Nice Laptop
“Hacker Shane Macaulay (with the help of friends Derek Callaway and Alexander Sotirov) of Security Objectives was able to compromise and gain control of the Windows Vista laptop via a previously undiscovered flaw in the latest version of Adobe’s Flash software, allowing him to claim the Fujitsu laptop and the $5,000 cash prize. Just like the Safari flaw that Apple was informed of, the zero-day vulnerability that Shane exploited was responsibly disclosed to Adobe, which is already reportedly readying an update that fixes the vulnerability.”
“Microsoft’s Internet Explorer team should see this as a great accomplishment considering how poor IE6’s security record has been. It looks like Vista’s IE7 stood up to the challenge. Nevertheless, Vista’s fall on the last day left the Sony Vaio laptop running Ubuntu as the ultimate winner—Linux was the last OS left standing.”
Readers in the comments claim any of the three targeted machines could have gone down over the Flash exploit that claimed Vista, leaving the Mac as the only machine taken out by software that came out of the box.
Were any points really proven? No. Except, perhaps, a point assorted advocates (and zealots) alternately embrace or dance around, depending on whether it suits them:
Comparing the relative security of operating systems based on ‘sploit-counting nitpickery is just stupid. Who among average users doesn’t have Flash installed on their machine? On what planet have we not seen 13 Firefox 2 point releases come and go, only one of which addressed nothing more serious than a vulnerability of “high” criticality, all the rest of which had at least one “severe” vulnerability?
The problem with contests like this is that the people who don’t know any better than to run into the street yelling “My OS is the securest!!11!!! lolz losedowz luserz!” will continue to not know any better.
(Link)
Previously: MacBook Air Cracked First in Security Derby
Posted by mhall at 2:07 PM | Add Comment
March 28, 2008
MacBook Air Cracked First in Security Derby
Rich Mogull on a MacBook Air going down first in the annual Pwn2Own contest:
“Although we need to take contests like these with a grain of salt, we can’t dismiss the results. Since it took Charlie Miller only 2 minutes to compromise the MacBook Air, it’s clear that he walked in the door with a complete exploit ready to go. That’s far different from creating one on the spot. Still, it’s concerning that Mac OS X was the first victim to succumb to attack since the contest rules don’t favor any particular platform. According to Macworld, one researcher may have discovered a vulnerability in Windows Vista but was unable to exploit it within the available time. This is likely an indication that the new anti-exploitation security features of Vista are effective at making it more secure than Windows XP, and more secure than it would have been without these changes. Although Apple added similar features to Mac OS X in Leopard, such as library randomization, discussions with security researchers indicate that these defenses are not yet fully implemented, and thus provide little additional security.”
As of this morning, the Ubuntu and Vista boxes were still uncompromised.
Comment of the day from an Engadget commenter, where the, er, remedial version of this discussion is taking place:
“I’d like to see him hack it when it has a firmware password set and File Vault encrypted.”
That’d teach him!
Oh … wait … from Macworld’s coverage:
“Within 2 minutes, [Miller] directed the contest’s organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.”
Not that the Macworld comments are any better than Engadget’s.
(Link)
Posted by mhall at 6:43 PM | Add Comment
March 26, 2008
Shocker: Internet Advertisers Hate Privacy Laws
Internetnews has a good followup on last week’s news of a New York privacy bill that would curtail how much tracking and data-gathering Internet companies can engage in. Predictably, plenty of the companies that would have to gather consent to track users by personally identifiable information
“Calling Brodsky’s bill ‘paternalistic’ for trying to protect people from a phantom harm, the IAB’s Zaneis argued that educating consumers about what data are actually being collected would alleviate most people’s privacy concerns.
“‘Industry self-regulation has been what has protected consumers throughout the history of the Internet,’ he said. ‘Why don’t we hear legislators and consumer advocate talking about consumer education? If their concern is that they consumers don’t know what’s going on, why don’t they try to do something about that? My suspicion is because it’s difficult.’
“‘It’s easy to pass a law; it’s difficult to come e to the table with real solutions,’ Zaneis said.”
I think people do talk a lot about consumer education. There are all sorts of advocacy groups out there doing that work. I also think Mr. Zaneis knows that. More to the point, full disclosure and informed consent are key to consumers being educated. The New York bill requires, among other things, disclosure and consent. Rather than acknowledging some give on those issues, the advertising flack prefers to use loaded language and sweeping dismissals.
(Link)
Posted by mhall at 5:48 PM | Add Comment
March 25, 2008
Privacy-Minded Search With PrivacyFinder
The EFF’s Peter Eckersley writes about PrivacyFinder, a Google/Yahoo front-end has a good data retention policy and can report on the privacy policies of the sites that turn up in results:
“… it’s exciting to report that one small search engine is experimenting with ways to be an aide, rather than a threat, to privacy. PrivacyFinder is a research project at the CMU Usable Privacy and Security Laboratory (full disclosure: Lorrie Cranor, who heads the lab, is also on the EFF Board). It offers an interface to Yahoo! and Google, but with two notable improvements: an excellent logging/data retention policy, and a feature that shows the user information about sites’ privacy policies along with the search results. That way, if two sites offer the same service but one of them is better from a privacy point of view, the user will see that quickly. The PrivacyFinder researchers tell us they’ve observed that people will, for instance, pay more for an item from an online store if they can see that it has an excellent privacy policy.
“PrivacyFinder seems to be making productive use of P3P, an old privacy standard that has, in many other respects, fallen short of expectations. If you run a search on the site, you can quickly see when one result matches your standards and others don’t.
“Privacyfinder’s logging policy is amongst the best in the industry (Ixquick is also first-rate). Privacyfinder only keeps search records for a week, unless the user explicitly opts in to being tracked. Because the CMU Laboratory wants to do research on the use of search engines, it’s offering prizes for people who are willing to be tracked for research purposes. That’s the way we like to see it done.”
I’m not endorsing it because I only just read about it, but I’m definitely going to spend some time looking at it this week.
(Link)
Posted by mhall at 6:22 PM | Add Comment
Another Day, Another Facebook Privacy Lapse
“A security lapse made it possible for unwelcome strangers to peruse personal photos posted on Facebook Inc.’s popular online hangout, circumventing a recent upgrade to the website’s privacy controls.
“The Associated Press verified the loophole Monday after receiving a tip from Byron Ng, a Vancouver computer technician. Ng began looking for security weaknesses last week after Facebook unveiled more ways for 67 million members to restrict access to their personal profiles.
“But the added protections weren’t enough to prevent Ng from pulling up the most recent pictures posted by Facebook members and their friends, even if the privacy settings were set to restrict the audience to a select few.”
(Link)
Posted by mhall at 6:17 PM | Add Comment
March 24, 2008
FBI Pioneers "Guilty by Reason of Clicking"
This is appalling:
"Everyone has had it happen to them: a 'friend' sends you a link in IM or over IRC that purports to be something like a cat in an awkward position with a hilarious caption. Soon, however, you discover that the link wasn't to a lolcat at all; instead, you've been Rick Rolled—or even worse, sent to 2girls1cup (find it on your own, but be warned: it may scar you for life). These pranks are commonplace now, but be careful of what you click on and from whom. If that link points to anything even pretending to be child porn, that's enough evidence for the FBI of intent to download it. The authorities could then raid your home and possibly throw you in jail. No joke, it just takes one click and you're under intense suspicion.
"Such is the case with Temple University doctoral student Roderick Vosburgh, who apparently clicked on an FBI-planted hyperlink somewhere on the Internet. The link pointed to a file on an FBI server that contained no porn, but logged the IP addresses of everyone attempting to access it. Vosburgh's IP was one of those, and the FBI came knockin' on his door early one morning, arrested him, and searched his home.
"In fact, this didn't just happen to Vosburgh—the FBI has been using this click-and-be-owned tactic for a few years now, using logged IP addresses as a way to get warrants and charge people with intent to download child porn (a federal crime). The FBI has been planting links to these bogus files on message boards that are known to attract child predators, but even the log files don't take into account the referrer—any IP address that shows up is automatically assumed to be guilty, and assumed to be coming in from one of the FBI's planted links. This means that if your drunk friends think it's funny to IM you a link to something that turns out to be to the FBI's planted link, you could be in trouble."
It's not hard to anticipate the rationale for this sort of thing: Someone thinks it's a great way to "go after the demand end of the market." In a world where Web client security was perfect and where there were no malicious people to exploit things you can't program a Web client to avoid, that might make a modicum of sense.
Some time back, Linux Today had a policy of disabling anchor tags in its comment section, forcing people to just paste a URL in and let other people copy and paste it into their own browsers. I don't think it was a good policy, but Slashdot had not yet invented "add the target domain of this link in brackets behind the link" technology, and there was another mentality driving the policy anyhow. But a recalcitrant Web developer questioned why he was supposed to disable live links. I told him to grep the site comments database for goatse.cx where it was a. enclosed in an anchor tag as the href and b. not to be found in the inner text of the tag. It wasn't much of a reason, but it was the only one I was given that I agreed with.
One mistake I made, which probably only helped underscore the lesson, was assuming that he'd ever even been to goatse.cx. So he did his grep and found a few dozen links that fit the criteria, then he wondered to himself what all the fuss about that particular URL was and decided to pay it a visit. He got right to work on filtering link markup from comments.
Now, does the FBI apply some sort of "likely suspect" heuristic to this stuff? If a popular site like, say, Metafilter, had someone pay the $5 on a throwaway site membership and spend their post on a link to an FBI honeypot, you might think it wouldn't take long to straighten the matter out. In his coverage, Declan McCullagh says that probably isn't the case:
When anyone visited the upload.sytes.net site, the FBI recorded the Internet Protocol address of the remote computer. There's no evidence the referring site was recorded as well, meaning the FBI couldn't tell if the visitor found the links through Ranchi or another source such as an e-mail message.
But even if it did, that doesn't do anything to mitigate against the many other ways one could draw the FBI's attention to just about anybody given either some level of trust or momentary access to a computer with a browser and in the obvious possession of the victim.
Worse, despite the many, many ways the FBI's own Internet crime experts could tell you people find their machines exploited by malware daily, the FBI apparently takes as "evidence" the existence of any illegal content on the arrest target's computer.
This is a repulsive strategy. I'd like to say "I'm sure it won't stand in court," but McCullagh also notes that it has on at least a few occasions.
(Link)
Posted by mhall at 8:31 PM | Add Comment
March 21, 2008
Your Tax Dollars Imprudently at Work
“The State Department said on Friday that it was investigating several incidents in which the passport files of all three presidential contenders were improperly accessed by employees.
“The breaches involved electronic files that contained personal information about Senators Barack Obama, Hillary Rodham Clinton and John McCain. A State Department spokesman declined to say what was in those files, but he said they were likely to contain biographical information and passport applications.
“Mr. Obama’s passport file was breached on three separate occasions earlier this year and as recently as last week, by three employees working for independent contractors who did not have authorization to access the information. The breaches occurred on Jan. 9, Feb. 21, and March 14, according to The Associated Press.
“The State Department’s computer system had flagged each incident, but senior department officials were not informed until they looked into the matter, after receiving inquiries from a reporter on Thursday, a department spokesman said. ‘That information didn’t rise up to senior management levels,’ the spokesman, Sean McCormack, said at a Friday news conference. ‘That should have happened.’”
Nerves are, evidently, frayed:
“One reporter, Lambros Papantoniou of the Greek daily newspaper Eleftheros Typos, asked a question and noted in passing that ‘the whole story looks like a new Watergate scandal.’
“Mr. McCormack interrupted. ‘You know what? You know what? That is so outrageous,’ he said. ‘You just lost your privilege.’ Mr. McCormack refused to acknowledge the reporter for the remainder of the news conference.”
Didn’t they learn anything from those hospital workers who got fired for looking at Britney Spears’ records?
(Link)
Posted by mhall at 6:58 PM | Add Comment
March 20, 2008
NY Law Would Require Web Tracking Notification
A New York state legislator is working on a bill that would curtail how much tracking companies can engage in:
“If it passed, computer users could request that companies like Google, Yahoo, AOL and Microsoft, which routinely keep track of searches and surfing conducted on their own properties, not follow them around. Users would also have to give explicit permission before these companies could link the anonymous searching and surfing data from around the Web to information like their name, address or phone number.
“Because there is no federal legislation on these subjects, Mr. Brodsky's bill — and, to a lesser extent, the one in Connecticut — could set interesting precedents.
“‘A law like this essentially takes some of the gold away from marketers,' said Joseph Turow, a professor at the Annenberg School for Communication at the University of Pennsylvania. ‘But it's the right thing to do. Consumers have no idea how much information is being collected about them, and the advertising industry should have to deal with that.‘
Microsoft slays me:
“Microsoft asked Mr. Brodsky to broaden his bill to include all sorts of companies that serve ads around the Web, not just those that show ads based on users' behavior. Such a change would create a bill that more clearly includes Microsoft's chief competitor, Google.
(Link)
Posted by mhall at 8:02 PM | Add Comment
March 19, 2008
Facebook Shocker: New Privacy Controls Sort of Naive
Chris Soghoian reports on Facebook's new privacy controls, which feature the ability to classify what kinds of people can view particular elements of their profiles:
“This sounds like a great idea, and should be a significant benefit to those students who find that their Facebook-advertised parties were busted by police who found out about the events through the social-networking site.
“The primary problem is that Facebook has no way of determining what someone' university status is. The company is only able to verify that the user has a valid .edu e-mail address, which could mean that the person is a student, staff member, professor, or alumni. As a result, Facebook asks users to self-report this information.
“Given an example situation where a student doesn't wish for the Facebook-using professors at their university to be able to view their profile, it would be trivially easy for a professor to log in, and change his or her own status to that of an undergrad.”
Yoinks!
“This new system provides little in the way of real additional protection, yet may give users a false sense of security, leading the millions of users to post even more stupid and embarrassing things to the site than they currently do.”
Which gets us into the territory of encouraging people to just not put stuff up on Facebook that they wouldn't want to put up on billboards all over town.
(Link)
Posted by mhall at 6:12 PM | Add Comment
March 18, 2008
New Privacy Features for Facebook
Self-destructing interns everywhere rejoice:
“Facebook Inc. is tweaking the privacy settings on its popular online hangout to let users exert greater control over which of their friends are allowed to see personal details they post.
“The Palo Alto-based company said it would add features Tuesday night that will give its 67 million active users the option of selecting individual users who can or can’t access certain parts of their pages.
“For example, someone who uploads a racy batch of photos or lists his cell phone number or personal e-mail address on his Facebook page can now bar some people on list of friends from seeing any of that information.”
(Link)
Previously:
- Quitting Facebook - Why Did It Take the NYT? - Open Networks Today
- Do YOU Understand Your Social Networking Site's Privacy Policy?
- Man Uses Facebook Address Book Tool, Goes to Jail
- Facebook Apps Have Access to More Info Than They Need - Open Networks Today
Posted by mhall at 7:16 PM | Add Comment
March 17, 2008
China Builds Up the Great Firewall
“China has joined the ranks of countries that have instituted either temporary or permanent blocks on YouTube. The decision came as clips of the recent riots in Tibet—a ‘sensitive’ topic in China—have made their way onto the popular video sharing site. As usual, the Chinese government has remained mum on the move to block content from the eyes of Internet users, so it’s unclear whether this block will remain in effect for the long term or if it’s merely a short-term solution.
“YouTube isn’t the only site that has reportedly been added to China’s Great Firewall since the Tibetan riots started last week. Popular news sites reporting on the riots—such as CNN, The Guardian, the BBC, Google News, and Yahoo!—have allegedly had all or parts of their sites blocked. Some Chinese readers have reported that only specific articles have been blocked, including ones that contain keywords about Tibet, riots, or the Dalai Lama.
“Our own tests this morning with WebSitePulse’s China firewall tester have only yielded a block on youtube.com thus far—the other sites’ home pages (and some specific articles about Tibet) appear to be going through. As we know, though, China’s firewall doesn’t always filter everything all the time, and may be implemented differently in different areas of the country. Sites that appear accessible in Shanghai right now might not be accessible in Beijing, and something that’s accessible in China’s capital may mysteriously ‘disappear’ later on. Researchers at UC Davis’ Computer Science department found that the firewall would accidentally allow banned terms through about 28 percent of the time, particularly during high-traffic times.
(Link)
Posted by mhall at 7:17 PM | Add Comment
March 14, 2008
Comparing Obama & Clinton on Civil Liberties
Mona, formerly of Unqualified Offerings and now blogging at The Art of the Possible, makes a little hay over the "Obama and Clinton are practically the same anyhow" bit of CW floating around:
"This is not so. On restoring decency, respect for the rule of law, and basic civil liberties such as warrants when spying on Americans, and explicit rejection of torture, Obama is far, far ahead of anything HRC has been willing to state."
And she provides a few reasons.
The Art of the Possible is a newish blog with a civil liberties/human rights focus:
"We bring together liberal and libertarian writers who agree on certain politically and morally enlightened essentials. Their discussions here serve to delineate the reasons why basic human rights must always be defended. Their disagreements, by contrast, will illustrate why forming new alliances is hard, and perhaps serve as a reminder as to why new alliances are so rare."
Mona comes to the site from the libertarian side of the fence. Having followed her during her time over at UO, and knowing that her libertarianism comes from somewhere besides the "sounds hipper and edgier than plain-old-Republican" wing of the tendency, I think it means something when she makes a distinction between a pair of Democrats. I guess we'll see how meaningful that distinction is to everyone else with a Nolan chart on the wall come November.
(Link)
Posted by mhall at 4:53 PM | Add Comment
House OKs Spy Bill, Rejects Telco Immunity
“The Democratic-led U.S. House of Representatives defied President George W. Bush on Friday and passed an anti-terrorism spy bill that permits lawsuits against phone companies.
“But the 213-197 vote was far short of the two-thirds majority needed to override a promised veto by Bush. He has demanded that any telecommunication company that participated in his warrantless domestic spying program secretly begun after the September 11 attacks receive retroactive immunity.
“The battle over whether to shield companies has been a key reason why the House and Senate have been unable to agree on a bill to replace a law that expired last month that expanded U.S. authority to track enemy targets without a court order.
“It has also prompted Republicans to accuse Democrats of undermining national security while Democrats have accused Bush and his fellow Republicans of election-year fear mongering.”
(Link)
Analysis from Glenn Greenwald:
“It is, of course, true that this bill will have a hard time passing the Senate (though if even most House Blue Dogs were persuaded to support this bill, why can’t most Democratic Senators who previously voted for the Rockefeller bill be persuaded?). It’s also true that even if it did pass the Senate, the President will veto it, and there won’t be enough votes to override the veto. So this bill won’t become law, but that doesn’t matter.
“The reality is that the best possible outcome here is nothing -- we lived quite well for 30 years under FISA and if no new bill is passed, we will continue to live under FISA. FISA grants extremely broad eavesdropping powers to the President and the FISA court virtually never interferes with any eavesdropping activities. And the only ‘fix’ to FISA that is even arguably necessary -- allowing eavesdropping on foreign-to-foreign calls without warrants -- has the support of virtually everyone in Congress and could be easily passed as a stand-alone measure.”
(Link)
Posted by mhall at 4:52 PM | Add Comment
Is the Market Efficient at Producing Privacy?
Ed Felten thinks through some issues raised in a decent Slate essay:
“people say they want more privacy than the market is producing. Why is this? One explanation is that actions speak louder than words, people don’t really want privacy very much (despite what they say), and the market is producing an efficient level of privacy. But there’s another possibility: perhaps a market failure is causing underproduction of privacy.
[...]
“Companies can signal a commitment to privacy, but those signals will be unreliable so customers won’t be willing to pay much for them — which will leave the companies with little incentive to actually protect privacy. The market will underproduce privacy.
“How big a problem is this? It depends on how many customers would be willing to pay a premium for privacy — a premium big enough to replace the revenue from monetizing customer information. How many customers would be willing to pay this much? I don’t know. But I do know that people might care a lot about privacy, even if they’re not paying for privacy today.
I like the emphasis on signaling vs. substantive behavior. As the Slate essay noted, signifying "goodness" has been key to Google's ongoing success as a standard bearer for what the essayist called "immaculate capitalism." That keeps it ahead of a curve that overtook Ask with the Ask Eraser debacle.
Who really knew Ask? Not many people, so it didn't have a lot of perceived goodness to bank. It didn't help that Ask.com went through a few branding changes (and is now flailing about trying to figure out what it even thinks it should be doing. So when a company that hasn't established a very stable public persona tries to roll out something like Ask Eraser, when the loopholes in the service manifest under mild scrutiny there's no banked trust. Google, in the meantime, at whose (among others') behest Ask was compromising the usefulness of Eraser, was pleased to collect all the information people thought they wouldn't be giving to Ask.com.
Ask came off looking a little shady, Google went back to writing circular justifications for all its data gathering in its blog.
(Link)
Posted by mhall at 2:26 PM | Add Comment
March 12, 2008
Back to Basics With Unix Permissions
Last week, Charlie Schluting had a piece on managed Web app installations for hosting providers. He was writing in reaction to the unfortunate way unsecure Web applications in the hands of inexperienced users cause a lot of security headaches that contribute directly to the assorted botnets drifting around in the ether.
One of the things he touched on was the lamentable way lazy developers will put apps out there with instructions to open up the permissions on a directory or installer file, then either forget to tell the user to revert the permissions to something sane or don't just script that part themselves. So you get a lot of people blindly following instructions, tapping in seemingly innocuous commands that leave gaping holes in a server's security.
So this week he came back with a back-to-the-basics article on Unix permissions. Maybe not new to most Unix/Linux mavens, but worth printing out or forwarding to people coming at things from a background other than Unix administration who don't spend a lot of time on the command line unless they're unpacking a tarball with the latest easy-to-install Web app .
Posted by mhall at 6:38 PM | Add Comment
March 11, 2008
EFF Law-Checks WSJ Article on Domestic Spying
The EFF has some quick analysis on the WSJ's report about domestic spying. Two points out of several:
"The infobox incorrectly asserts that the subject lines of email are not 'content,' and can be obtained without a warrant. According to the article, '[f]or an email, the[NSA's] data haul can include the identities of the sender and recipient and the subject line, but not the content of the message.'"
and
"The infobox incorrectly asserts that the NSA can review '[s]ites visited and searches conducted' without a warrant. 'According to current and former intelligence officials, the spy agency now monitors huge volumes of records of ... Internet searches.' 'The [NSA's] haul can include ... records of Internet browsing.'
To the contrary, courts have held that search terms are 'content' within the meaning of the Electronic Communications Privacy Act ..."
"Rather than detailing what the government is doing that is legal, then," concludes the EFF, "the article actually demonstrates the massive, illegal surveillance of millions of ordinary Americans, in violation of the law and the Constitution."
(Link)
Posted by mhall at 2:02 PM | Add Comment
March 10, 2008
Rebranded TIA Lives On
"The NSA uses its own high-powered version of social-network analysis to search for possible new patterns and links to terrorism. The Pentagon's experimental Total Information Awareness program, later renamed Terrorism Information Awareness, was an early research effort on the same concept, designed to bring together and analyze as much and as many varied kinds of data as possible. Congress eliminated funding for the program in 2003 before it began operating. But it permitted some of the research to continue and TIA technology to be used for foreign surveillance.
"Some of it was shifted to the NSA -- which also is funded by the Pentagon -- and put in the so-called black budget, where it would receive less scrutiny and bolster other data-sifting efforts, current and former intelligence officials said. 'When it got taken apart, it didn't get thrown away,' says a former top government official familiar with the TIA program.
"Two current officials also said the NSA's current combination of programs now largely mirrors the former TIA project. But the NSA offers less privacy protection. TIA developers researched ways to limit the use of the system for broad searches of individuals' data, such as requiring intelligence officers to get leads from other sources first. The NSA effort lacks those controls, as well as controls that it developed in the 1990s for an earlier data-sweeping attempt.
"Sen. Ron Wyden, an Oregon Democrat and member of the Senate Intelligence Committee who led the charge to kill TIA, says 'the administration is trying to bring as much of the philosophy of operation Total Information Awareness as it can into the programs they're using today.' The issue has been overshadowed by the fight over telecoms' immunity, he said. 'There's not been as much discussion in the Congress as there ought to be.'"
(Link)
Posted by mhall at 6:23 PM | Add Comment
Web Bigs Record 336 Billion "Transmission Events" in a Month
The NYT has a concise, interesting consideration of the kinds of data gathering going on at the larger Web outfits:
"ComScore analyzed 15 major media companies' potential to collect online data in December. The analysis captured how many searches, display ads, videos and page views occurred on those sites and estimated the number of ads shown in their ad networks.
"These actions represented 'data transmission events' — times when consumer data was zapped back to the Web companies' servers. Five large Web operations — Yahoo, Google, Microsoft, AOL and MySpace — record at least 336 billion transmission events in a month, not counting their ad networks.
[...]
"The information transmitted might include the person's ZIP code, a search for anything from vacation information to celebrity gossip, or a purchase of prescription drugs or other intimate items. Some types of data, like search queries, tends to be more valuable than others.
"Yahoo came out with the most data collection points in a month on its own sites — about 110 billion collections, or 811 for the average user. In addition, Yahoo has about 1,700 other opportunities to collect data about the average person on partner sites like eBay, where Yahoo sells the ads."
"The depth of Yahoo’s database," the article helpfully notes, "goes far in explaining why AOL is talking with Yahoo about a merger and Microsoft is willing to pay more than $41.2 billion to acquire the company."
(Link)
Worth considering as a chaser:
Slate: Have People Stopped Clicking on Google Ads? . The article's focused on a ComScore study that did Google no favors on Wall St., but offers some useful insight about Web traffic analysis in general.
Posted by mhall at 6:10 PM | Add Comment
March 9, 2008
G-Archiver Harvests Your GMail Account Name & Password
"It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.
"I opened up a browser and logged in to gmail using his account information. It still worked.
"Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself."
From the comments, a bit of bonus comedy:
"Wow. How incredible. I think this is a wake-up call... we shouldn't automatically trust software."
Y'think?
(Link), via Daring Fireball or MeFi ... I forget which, and they both had it.
Posted by mhall at 7:02 PM | Add Comment
March 7, 2008
"How To Disappear Online"
I'm glad Forbes gave the last word on how to become "Web dead" to someone who's not trying to sell something:
"The only real solution, argues a hacker and security researcher who calls himself 'Dead Addict,' is to not reveal your personal information in the first place. Dead Addict, who plans to give a talk on Web privacy at the technology conference Notacon in April, has used a workaround common to hackers avoiding the problems of online identity: To keep his controversial opinions and cyber-misdemeanors separate from his real world identity, Dead Addict has used a pseudonym for the last 15 years.
"Search for Dead Addict's real name, which he declines to reveal, and he says you'll find a digital non-person: Other than a single forum comment he wrote some 13 years ago, the name offers no results. That anonymity comes from careful attention: Dead Addict has never blogged or created a social networking profile with his real name. Even his business cards carry only his first name and middle initial. 'Fifteen years of keeping distinct identities takes a lot of work,' he says.
"But for those who haven't spent decades hiding from the Web, is it still possible to pull off the same disappearing act?
"'If you already have a history online and suddenly start caring about privacy, you're in a very tough spot,' he says. 'Basically, there's no easy answer.'
(Link), via
Posted by mhall at 5:09 PM | Add Comment
March 6, 2008
Balancing Freedom and Security on a Web Server
We ran a piece by Charlie Schluting on ENP yesterday that deals with the security problems posed by user-maintained Web apps. Charlie's sensitive to the problem because he deals with networking in a university environment, which is a pretty diverse population in terms of skillsets and experience, but generally more open than you might find in comparably sized businesses.
His take is straightforward:
"Users demand a very limited set of applications, so managing this small set of applications for users makes sense. It is not difficult to provide a scripted way to allow a user to install phpBB, for example. Most Web applications' installation simply consists of copying files in and updating a configuration file with things such as the URL of the site.
"Dreamhost, for example, offers one-click installs. It's really more of an input-information-and-maybe-create-a-database-to-use and then one-click install, but it's extremely simple for the average user to comprehend. Follow-up configuration is sometimes necessary, but this is generally done via the Web page itself, which allows users to complete the task when they visit their new site for the first time.
"By making it easy for users to install the most popular Web applications, Dreamhost and other providers that follow a managed application model are closer to having a definitive list of what applications are installed at which sites.
"There is also less chance that the install will be left in an insecure state if providers manage applications for their users. This may involve adding a quick 'chmod 755' at the end of a configuration routine in the worst case, but it's well-worth verifying that every supported application is properly secured. Providers only need to do it once, yet thousands of customers will reap the benefits."
I'm a Dreamhost customer, myself. I moved there after my son was born and I didn't want to host everything I had going on a server running out of a closet in what became the nursery.
When I had the time, it wasn't such a terrible prospect to imagine maintaining installations of Movable Type, Gallery, Mailman, Postfix, some wiki software and a few other apps. I subscribed to the right security lists, paid attention when Debian sent out security notices, and felt as good as I could about being a hobbyist admin running a bunch of apps I hadn't audited at all.
Dreamhost, as Charlie mentions, has a lot of one-click installs. It's good about notifying you when things change and it's easy to update to the latest version. As Charlie notes, a minor security update is less likely to cause trouble than a major release, but in all there's a lot less anxiety. And when Dreamhost offers a one-click update, I automatically know that if something does go wrong, the update files are probably, at the very least, where they belong; so all I have to troubleshoot is the configuration.
And he's right: I'm a lot better about keeping up with errata in the context of clicking an update button than I am maintaining self-installed stuff.
He also mentions toward the end of the article that a lot of people aren't happy with the idea of trading away flexibility and freedom, and he correctly cites the problems posed as spam has become worse and the security risks associated with it have grown in number. Some ISP subscribers hate stuff like blanket bans on unauthorized SMTP traffic, but the situation has pushed us past what would be ideal, and into the realm of what we need to do with a vastly more complex security situation than we had a decade ago.
(Link), via
Posted by mhall at 7:28 PM | Add Comment
March 5, 2008
Why Stop at Telco Immunity? Banks Need Love, Too
"The FBI acknowledged Wednesday it improperly accessed Americans' telephone records, credit reports and Internet traffic in 2006, the fourth straight year of privacy abuses resulting from investigations aimed at tracking terrorists and spies.
"The breach occurred before the FBI enacted broad new reforms in March 2007 to prevent future lapses, FBI Director Robert Mueller said. And it was caused, in part, by banks, telecommunication companies and other private businesses giving the FBI more personal client data than was requested.
"Testifying at a Senate Judiciary Committee hearing, Mueller raised the issue of the FBI's controversial use of so-called national security letters in reference to an upcoming report on the topic by the Justice Department's inspector general."
"Telecommunications companies?" The same people we're supposed to grant immunity to for other privacy abuses? It sounds like they didn't even have to get their arms twisted to hand over more than anyone asked for
(Link)