Category: Links

Categories
Links

Phishing on Mobile Devices

A good paper on (you guessed it!) phishing on mobile devices. Paper is here (.pdf) and abstract is below.

We assess the risk of phishing on mobile platforms. Mobile operating systems and browsers lack secure application identity indicators, so the user cannot always identify whether a link has taken her to the expected application. We conduct a systematic analysis of ways in which mobile applications and web sites link to each other. To evaluate the risk, we study 85 web sites and 100 mobile applications and discover that web sites and applications regularly ask users to type their passwords into contexts that are vulnerable to spoofing. Our implementation of sample phishing attacks on the Android and iOS platforms demonstrates that attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated.

 

Categories
Links

Security Bugs In Google Chrome Extensions

A piece that was authored last September, enumerating some of the security issues with Google Chrome Extensions. The authors:

reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web sites may be evil or contain malicious content from users or advertisers.  Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.  We’ll show you how you can prevent attacks on your extension using Content Security Policy.

In a followup, the authors have published a full report (here) that outlines their methodology and identifies the extensions that, as of February 2012, remain unpatched.

Check out the article, and some of the other great pieces that they’ve published on security.

Categories
Links

Internet Voting is a Bad, Bad Idea

Last year The Star ran an article detailing the merits of online voting. You get the usual benefits: increased turnout, happier constituents, and enhanced convenience. What the article entirely misses, of course, are the security and associated legitimacy issues linked with voting online. An academic blogger, writing before the article, notes that:

‘securing’ the Internet is a Herculean task. It absolutely cannot be regarded as a ‘secure’ development environment, especially when dealing with matters that are highly sensitive to political, technical, and social fault conditions. Such conditions may be worse that a fail condition, on the basis that faults generate fear and concern without a clear indication that something has gone wrong. In the case of an election, a perceived exploitable fault condition threatens to undermine political legitimacy and politically-generated solidarity on grounds that electoral results might be questionable. Thinking back our bridge example, a ‘fail’ might be a bridge collapsing. A ‘fault’ might include cracks spanning the support columns that cause motorists to avoid using the bridge out of fear, even though the cracks do not endanger the bridge’s stability. If ‘faults’ cannot be corrected, then there may be general fear about the validity of an election even if the election is not manipulated. If a ‘fail’ condition occurs but is not detected, then there may be a perception of electoral legitimacy without the election actually being legitimate.

Elections are not something to be trivially tampered with. Heightened conveniences should not trump electoral security and legitimacy. While paper voting is annoying it is a far more ‘secure’ method than online voting mechanisms. It really isn’t too much to ask/expect of people to mail in a vote, go to a polling station, or (quite reasonably) abstain from the process for their own reasons. We should not undermine a foundation of democracy just to make things a little bit more convenient.

Categories
Links

American Link To Greek Surveillance Debacle?

In 2004 it was discovered that parties unknown had been secretly monitoring a hundred of Greece’s top politicians and bureaucrats. An article from 2011 reveals that,

According to what sources told Kathimerini, the experts found that a mobile phone connection that had been purchased in the name of the US Embassy in Athens was used on one of these phones. Sources said that Dasoulas is now investigating whether any suspects who are not protected by diplomatic immunity could face charges.

Ericsson, which supplied the telephone exchange that was hacked into, and Vodafone, which was the service provider, were both fined by ADAE in 2007 for failing to protect the privacy of those who had their phones hacked, which included the head of the National Intelligence Service (EYP), several ministers and members of the armed forces, but the Council of State later cancelled these penalties.

The followup, of whether the Americans were actually involved, is ongoing as far as I can tell. Regardless of the culprits it’s instructive that even the head of the intelligence service was successfully targeted. We need to be mindful of how surveillance technologies are deployed in our communications networks, not just because we worry about how our own government might use the technologies, but also because of how other third-parties might use the technologies against the citizenry.

Categories
Links Writing

FYI: Governments Spy On Citizens. A Lot.

You often hear that if you’ve nothing to hide then government surveillance isn’t really something you should fear. It’s only the bad people that are targeted! Well….sorta. It is the case that (sometimes) ‘bad people’ are targeted. It’s also (often) the case that the definition of ‘bad people’ extends to ‘individuals exercising basic rights and freedoms.’ This is the lesson that a woman in the US learned: the FBI had secretly generated a 436 page report about her on the grounds that she and friends were organizing a local protest.

What’s more significant is the rampant inaccuracies in the report. The woman herself notes that,

I am repeatedly identified as a member of a different, more mainstream liberal activist group which I was not only not a part of, but actually fought with on countless occasions. To somehow not know that I detested this group of people was a colossal failure of intelligence-gathering. Hopefully the FBI has not gotten any better at figuring out who is a part of what, and that this has worked to the detriment of their surveillance of other activists. I am also repeatedly identified as being a part of campaigns that I was never involved with, or didn’t even know about, including protests in other cities. Maybe the FBI assumes every protester-type attends all other activist meetings and protests, like we’re just one big faceless monolith. “Oh, hey, you’re into this topic? Well, then, you’re probably into this topic, right? You’re all pinkos to us.”

In taking a general survey of all area activists, the files keep trying to draw non-existant connections between the most mainstream groups/people and the most radical, as though one was a front for the other. There are a few flyers from local events that have nothing to do with our campaign, including one posted to advertise a lefty discussion group at the university library. The FBI mentions that activists may be planning “direct action” at their meetings, which the document’s author clarifies means “illegal acts.” “Direct action” was then, and I’d say now, a term used to talk about civil disobedience and intentional arrests. While such things are illegal actions, the tone and context in these FBI files makes it sound like protesters got together and planned how to fly airplanes into buildings or something.

You see, it isn’t just the government surveillance that is itself pernicious. It’s the inaccuracies, mistaken profilings, and generalized suspicion cast upon citizens that can cause significant harms. It is the potential for these profiles to be developed and then sit indefinitely in government databases, just waiting to be used against law abiding ‘good’ citizens, that should give all citizens pause before they grant authorities more expansive surveillance powers.

Categories
Links

Academics Rally to Defend Sandra Fluke

Sandra Fluke is a Georgetown law student who has been targeted by Rush Limbaugh since giving testimony about the importance of insurance policies providing contraceptive coverage. The academic community has issued a statement in response to the misogynistic attacks that have been launched by Limbaugh and his supporters. It’s available as a .pdf (with a list of signatories) here, and the statement text is below:

The undersigned faculty members, administrators and students of Georgetown University Law Center and other law schools strongly condemn the recent personal attacks on our student, Sandra Fluke. Ms. Fluke has had the courage to publicly defend and advocate for her beliefs about an important issue of widespread concern. She has done so with passion and intelligence. And she has been rewarded with the basest sort of name-calling and vilification, words that aim only to belittle and intimidate. As scholars and teachers who aim to train public-spirited lawyers, no matter what their politics, to engage intelligently and meaningfully with the world, we abhor these attacks on Ms. Fluke and applaud her strength and grace in the face of them.

Limbaugh’s hateful attacks are despicable. I’m incredibly happy to see the academic community publicly rally behind Fluke and would be delighted if this kind of hate speech were prosecuted. If there’s any group that’s likely to have the chops to do this it’s the massive body of lawyers from around America who have stood up in support of Sandra. Losing advertisers and a poor apology aren’t enough: Limbaugh should be prosecuted for his intentionally slanderous and libel speech.

Categories
Links Writing

I Like The Apps, But Not The Design

A new version of the iPad is coming. The latest ‘craze’ around this version is whether or not it will come with a home button. To date, there’s been one particularly strong ‘In Defence of the Home Button’ post by Dave Caolo, which is effectively a listing of all the functions that Apple has tied to the singular button at the bottom of each iDevice.

This button isn’t going anywhere. And that’s really unfortunate, because better – or at least equivalent – options are out there.

The PlayBook is seriously lacking on apps. SERIOUSLY LACKING. But the hardware design of the device is stunning. I don’t need to pay attention to what is up, down, left, or right because of how RIM has integrated the bezel functionality. For a quick overview of the bezel options, check out the video below:

This isn’t to say that the Playbook is a winner hands down. Apple’s home button is linked to variety of accessibility options which are lacking on the Playbook. Also, Apple has a series of gestures that enable similar features as the Playbook, though I’m far less impressed at how they’re integrated. Because of how awkward these gestures tend to be, I tend to just use the home button, which can be incredibly inconvenient depending on the iPad’s orientation at the time.

My dream would be Apple getting creative and bringing the hardware design leadership of the Playbook to the app-rich iDevice environment. I’m not holding my breath through.

Categories
Links

Why TV is Broken

Minimal Mac has an interesting piece on the UX of television. In short, a young girl who isn’t exposed to TV suddenly is, and is confused and upset by the service provided. She doesn’t understand commercials, doesn’t understand the changes in volume, and becomes resigned to cable TV’s deficiencies.

A cautionary note to advertisers and television moguls alike: if your next-generation audience is ‘resigned’ to your service, and has alternates to your content delivery options, you need to adapt or watch your audience base slowly erode.

Go read the piece. It’s well written and eye-opening.

Categories
Links

Here’s Why the Government Thinks It Can Kill You Overseas:

Holder left several aspects of his argument unexplained. He did not define the terms “senior operational leader” of al-Qaida, nor what it means to be an “affiliate” of the amorphous group. The attorney general only referred to the drones through the euphemism “stealth or technologically advanced weapons.” Holder did not explain why U.S. forces could not have captured Awlaki instead of killing him, nor what its criteria are for determining on future missions that suspected U.S. citizen terrorists must be killed, rather than captured. Holder did not explain why Awlaki’s 16-year-old son, whom a missile strike killed two weeks after his father’s death, was a lawful target. Holder did not explain how a missile strike represents due process, or what the standards for due process the government must meet when killing a U.S. citizen abroad. Holder did not explain why the government can only target U.S. citizens suspected of terrorism for death overseas and not domestically.

In which the United States government asserts, in all seriousness, that it’s perfectly okay (appropriate, even) for the President to order the killing of an American citizen without any due process of law whatever. The Constitution? Not a barrier anymore, apparently.

Categories
Links

Liberal Party of Canada Comes Out Against IMSI Catchers

I was surprised – and delighted – to see the Public Safety Critic for the Liberal Party of Canada recently come out against the use of IMSI catchers. Specifically, Francis Scarpaleggia said to Xtra!

The fact that the police do have technology that allows them to capture IMSIs, that means that they could theoretically, with that information, go to an ISP and get the identity of that person, even if the person’s just walking by innocently but they happen to be observing the crowd

This is a very, very good step in the right direction, and it’s terrific to see the technical concerns with forthcoming lawful access legislation actually rising to the attention of federal politicians. Hopefully we’ll see this kind of technical awareness rise all the way to statements in parliament and committee hearings on the legislation.