Category: Links

Categories
Links Writing

Facebook: Yes, it can get more invasive

Grace Nasri has a good – if worrying – story that walks through how Facebook could soon use geolocational information to advance its digital platform. One item that she focuses on is Facebook’s existing terms of service, which are vague enough to permit the harvesting of such information already. As much as it’s non-scientific I think that the company’s focus on knowing where its users are is really, really creepy.

I left Facebook after seeing they’d added phone numbers to my Facebook contacts for people who’d never been on Facebook, who didn’t own computers, and for who I didn’t even have the phone numbers. Seeing that Facebook had the landline numbers for my 80+ year old grandparents was the straw that broke my back several years ago; I wonder if this degree of tracking will encourage other Facebook users to flee.

Categories
Links

What Sophisticated Security Tests Should Look Like

Facebook and a few other large corporations understand just how serious contemporary data intrusions and exfiltrations are. They spend a lot of money preparing for attacks. Why, if private companies, are taking collected data so seriously do our governments seem to remain so cavalier with their data collection, retention, and security practices?

Categories
Links Writing

Lawful Access is Dead, Long Live Lawful Intercept!

So, the takeaway from this post is that Industry Canada’s proposed modifications significantly expand the volume and types of communications that ISPs must be able to intercept and preserve. Further, the Department is considering expanding interception requirements across all wireless spectrum holders; it needn’t just affect the LTE spectrum. We also know that Public Safety is modifying how ISPs have to preserve information related to geolocational, communications content, or transmission data. Together, these Departments’ actions are expanding government surveillance capacities in the absence of the lawful access legislation.

Industry Canada’s and Public Safety’s changes to how communications are intercepted should be put on hold until the government can convince Canadians about the need for these powers, and pass legislation authorizing the expansion of government surveillance. Decisions that are made surrounding interception capabilities are not easily reversed because once the technology is in place it is challenging to remove; as such, the government’s proposed modifications to intercept capabilities should be democratically legitimated before they are instantiated in practice.

Categories
Links Writing

Fragmentation leaves Android phones vulnerable to hackers

Via the Washington Post:

“You have potentially millions of Androids making their way into the work space, accessing confidential documents,” said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the ACLU. “It’s like a really dry forest, and it’s just waiting for a match.”

The high degrees of fragmentation in the Android ecosystem are incredibly problematic; fragmentation combined with delays in providing updates effectively externalizes the security-related problems stemming from mobile OS vulnerabilities on individual owners of phones. Those owners are (typically) the least able parties in the owner/carrier/manufacturer/OS creator relationship to remedy the flaws. At the moment, Google tends to promptly (try) to respond to flaws. The manufacturers and vendors then have to certify and process any updates, which can take months. It’s inexcusable that these parties can not only sit on OS updates, but they can continue to knowingly sell vulnerable phones.

Imagine if, after a car line was reported to have some problem that required the line’s recall and refurbishment, dealers continued to sell the car. They didn’t even notify the person buying the car that there was a problem, just that ‘enhancements’ (i.e. the seat didn’t eject when you hit something at 60Km/hr, plus a cool new clock display on the dashboard) were coming. The dealers would be subject to some kind of legal action or, failing that, consumers could choose to work with dealers who sold safe cars. Why, exactly, aren’t phone carriers being subjected to the same scrutiny and held to the same safety standards?

Categories
Links

Packets of Death

cleverhacks:

very nice detective work, in which we discover that a single ill-favored packet can completely kill certain Intel gigabit NICs (to the point that a power cycle is required to resurrect them). Excellent writeup (and I discovered a new tool: open source packet generation suite Ostinato, which aims to be “wireshark in reverse”).

The significance, via Slashdot: “With a modified HTTP server configured to generate the data at byte value (based on headers, host, etc) you could easily configure an HTTP 200 response to contain the packet of death and kill client machines behind firewalls!”

Categories
Links

South Korea to Ban Profanity and Porn from Teens’ Smartphones?

The supposed ban is meant to, in part, crack-down on cyberbullying. To be clear, such bullying is serious, but introducing security deficits into smartphones – for the children! – really isn’t the way to solve this social problem. You don’t solve social ills by turning to technological filters and blocks. Especially not when trying to get between a teenager and porn.

Categories
Links Writing

Casey Johnston!: I have this seminar I’m running for free for college students and I’m…

caseyj:

I have this seminar I’m running for free for college students and I’m going to show them this picture before we start. It’s a picture of someone graduating from college. You can’t tell, but you can guess that they’re probably $150,000 in debt. Written on the top of their mortarboard with masking tape it says, “Hire me.” The thing about the picture that’s pathetic, beyond the notion that you need to spam the audience at graduation with a note saying you’re looking for a job, is that you went $150,000 in debt and spent four years of your life so someone else could pick you. That’s ridiculous. It really makes me sad to see that.

While I understand what Seth Godin is suggesting, I also think that it’s largely reflective of his incredibly privileged position. When people are leaving schools with that amount of debt, with knowledge that they want to start a family and not suffer (total) financial ruin by starting something and failing, then those individuals may quite reasonably want full-time regular employment.

Godin’s most common response is that ‘such employment doesn’t really exist anymore – so adapt!’ While it’s a great response for some people who are willing to take on heightened risks in their lives it isn’t one that ought to be imposed on all individuals. Moreover, the thought that it’s “ridiculous” to want to be picked and work at a meaningful job and launch a career with a business that is compatible with your training and expertise shouldn’t make anyone sad. Instead, what should be “sad” is that such aspirations are less and less likely to be realized as companies abandon long-term commitment to employees and instead harden their ‘flexible’ hiring strategies that facilitate profits at the expense of human life.

Categories
Links

Yale Suing Former Students Shows Crisis in Loans to Poor

infoneer-pulse:

infoneer-pulse:

Needy U.S. borrowers are defaulting on almost $1 billion in federal student loans earmarked for the poor, leaving schools such as Yale University and the University of Pennsylvania with little choice except to sue their graduates.

The record defaults on federal Perkins loans may jeopardize the prospects of current students since they are part of a revolving fund that colleges give to students who show extraordinary financial hardship.

Yale, Penn and George Washington University have all sued former students over nonpayment, court records show. While no one tracks the number of lawsuits, students defaulted on $964 million in Perkins loans in the year ended June 2011, 20 percent more than five years earlier, government data show. Unlike most student loans — distributed and collected by the federal government — Perkins loans are administered by colleges, which use repayment money to lend to other poor students.

» via Bloomberg

The default situation is only going to get worse and worse, especially for those that tried to hide from the US recession by staying in school and taking on educational debt.

Yale Suing Former Students Shows Crisis in Loans to Poor

Categories
Links Writing

Banking Trojan Ships With Its Own Certificate

This is all kinds of badness, and speaks to malware vendors becoming increasingly sophisticated in how they are targeting low hanging fruit (i.e. random users). In essence, the attack involved getting a certificate issued and then using it to create valid digital signatures for .pdf invoice documents. Once individuals opened the invoices the malware associated with the .pdf would burrow into the OS and act as a key logger that targeted banking information.

Unfortunately, I’ve not yet seen a media article discuss the mediocre effectiveness of revoking the certificate used to sign the .pdf. The OCSP protocol is incredibly susceptible to being defeated, especially if malware already resides on the target’s computer or a point in between the target and the revocation server is controlled by the attacker (possible by setting a compromised computer to proxy traffic to a host controlled by the attacker). So, while while the cert has been revoked, this actions does not necessarily stop the malware from functioning, but just reduces the prospective attack surface. Moreover, if browser/operating system CA stores are not updated – again, possible if the attacker already controls the host – then the same attacker can convince the browser or OS to continue trusting an expired certificate.

Categories
Links Writing

EU citizen warned not to use US cloud services over spying fears

shonelikethesun:

What the title says, basically. I had missed this.

The warning should be heard by non-EU citizen too, with the Cloud, privacy is fucking dead. And what’s sadder is that 90% of people simply don’t care.
Unless it makes more probable for your significant other to see your transsexual porn browser history…

The EU Report is well worth a full read (available here in .pdf). Things to keep in mind that aren’t all that being well discussed:

  • you know about this report – media is covering it – because of the tireless efforts of Caspar Bowden, one of the authors and a noted global privacy advocate. It was out for months before it hit the media.
  • everyone is focused on US intelligence (good) but missing the significance of the FISAAA amendments: it’s not just that you can be spied on. It’s that the spying does not have to happen for national security reasons. No, it’s sufficient to conduct surveillance for political (read: espionage) reasons.
  • a huge aspect of the report – which isn’t touched on, even in the European media that much – is its call for the European Parliament to given EUROPOL and ENISA a direct mandate.

The second point is particularly important for non-Europeans. While it’s a lesser spoken about part of the intelligence world, spooks are routinely engaged in industrial espionage on the grounds that such acts assist the nation-state’s finances. This can include the theft of foreign corporations’ information, or (in extreme cases) the deletion of the same information. It seems that FISAAA’s amendments would only permit the former, and not the latter. However, as a result of these amendments corporations should be more wary of outsourcing their document storage to US-based cloud services, content creation to US hosts and online services, or communications systems to (you guessed it!) American firms. Placing such data in the hands of the Americans is rife with potential economic harms and, no matter how much you like Dropbox, Google, or other cloud provider, they’re all likely to turn on you if the NSA comes knocking.

Source: EU citizen warned not to use US cloud services over spying fears