Category: Links

Categories
Aside Links

The Big Threats to Internet Security

Dan Goodin has a good piece on one of Bruce Schneier’s recent talks. From the top of the article:

Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They’re also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don’t recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.

The notion that government – largely composed of security novices – large corporations, and a feudal security environment (where were trust Apple, Google, etc instead of having a generalizable good surveillance footprint) are key threats of security is not terribly new. This said, Bruce (as always) does a terrific job in explaining the issues in technically accurate ways that are simultaneously accessible to the layperson. Read the article; it’s well worth your time and will quickly demonstrate some of the ‘big’ threats to online security, privacy, and liberty.

Categories
Links Writing

User vs Corporate Understandings of ‘Security’

A really interesting paper on social authentication has just been released that looks at how facial identification ‘works’ to secure social networks from unauthorized access to profiles/records. The authors note that users of social networks are most concerned in keeping their interactions private from those who know the users. Specifically, from the abstract:

Most people want privacy only from those close to them; if you’re having an affair then you want your partner to not find out but you don’t care if someone in Mongolia learns about it. And if your partner finds out and becomes your ex, then you don’t want them to be able to cause havoc on your account. Celebrities are similar, except that everyone is their friend (and potentially their enemy).

Moreover, a targeted effort to identify a users’ friends on a social network – and examine their photos – will let an attacker penetrate the social authentication mechanisms. While many users would consider this a design flaw Facebook, which uses this system, doesn’t necessarily agree because:

[Facebook] told us that the social captcha mechanism was used to solve the problem of large-scale phishing attacks. They knew it was not very effective against friends, and especially not against a jilted former lover. For that, they maintain that the local police and courts are an effective solution. They also claim that although small-scale face recognition is doable, their scraping protection prevents it being used at large scales.

What Facebook is doing isn’t wrong: they simply has a particular attacker-type in mind with regards to social authentication and have deployed a defence mechanism to combat that attacker. Most users, however, are unlikely to consider that the company has a different attack scenario in mind than its end-users, leading to anger and concern when the defence for wide-scale attacks fails to protect against targeted attackers. While I don’t see this as a security or policy failure, it is suggestive that companies would be well advised to explain to their users how different security inconveniences actually interact with different hack/attack scenarios. Beyond educating users as to what they can expect from the various defence mechanisms, it might serve to raise some awareness about the different kinds of attackers that companies have to defend against. In an ideal world, this might serve as a beginning point in educating users to become more critical of the security models that are imposed upon them by corporations, governments, and other parties they deal with.

Categories
Aside Links

Terrific Set of Short Privacy Papers

The folks at the University of Cambridge’s Security Research and Computer Laboratory have pulled together a terrific set of short (and accessible) papers on security and privacy. I’d highly recommend taking a look.

Categories
Aside Links

Network Neutrality and Smart Televisions

From GigaOm, we find that:

Korea Telecom in South Korea has taken an interesting twist on the idea [of network neutrality], and decided to block Samsung’s Smart TVs from accessing the Internet, according to this article from the Maeil Business Newspaper, a large S. Korean daily. That’s right, net neutrality isn’t just for applications anymore.

It’s absurd that so-called ‘SmartTVs’ are being blocked on the basis of data consumption: as content goes HD and it is piped over IP (and fibre optic lines!) it’s absurd that ‘data consumption’ could justify cutting these televisions from the IP network. No, what we’re seeing is an effort to stymie over-the-top growth unless the content owner/monopolist can find a way to extract unjustified rents. The Korean example is a clear example of why network neutrality regulations are so important.

Categories
Links

Is the spectrum crisis a myth?

Kevin Fitchard has written one of the better (popular) pieces on why we need to get past the spectrum crisis myth. Go read it.

Categories
Links Writing

parislemon: What If… (Office For iPad Edition)

parislemon:

Watching the back-and-forth yesterday about the whole Microsoft Office for iPad thing was nothing if not amusing. The basic rundown:

It’s coming, here it is.” “That’s not it.” “Yes it is.” “No it’s not, but we didn’t say it’s not coming.” “A Microsoft employee showed it to us.” “No…

MG has an interesting analysis on what Office for iPad might mean. I have to admit, if MS partners with Apple to bring real office software to the iPad then another sword will be levied at Google’s throat. I still – as a professional writer – despise using Google Docs for anything but the most minimal tasks: it just doesn’t meet my requirements for ‘real’ word processing.

The takeaway? Office would add to the ‘professional’ status of the iPad without taking away from the iPad’s ‘consumer friendly’ branding. This would further exacerbate the issues that Google’s tablets face while simultaneously challenging RIM’s own advertising that the PlayBook is ‘the’ tablet for professionals. It would definitely be a coup for both companies against their competitors, and so well worth watching for.

Categories
Links Writing

Want to Claim Congestion? Then Expect Real Audits

Free is a really interesting new mobile carrier in France, which offers a cheap entry rate of service. It seems as though the incumbent they’re partnered with wasn’t expecting Free’s success and so they want to raise rates on the basis of congestion. Specifically,

France Telecom said its network was being stressed by a rapid growth in traffic brought on by its hosting of new mobile entrant Iliad and vowed to protect its clients from service interruptions, its CEO told magazine Le Point…Iliad’s Free Mobile service upended the French telecom market in January when it launched its main offer at 19.99 euros per month for unlimited calls to France and most of Europe and the United States, unlimited texts, and 3 gigabytes of mobile data.

It’s entirely possible that the network is stressed … but it’s equally possible that other issues are leading to stresses that are real or imagined. If incumbents get to call congestion whenever the market turns against them, then they should be subjected to real, honest to god, tests for congestion by engineers who are (at best) neutral. Ideally the engineers should be downright hostile in order to force the incumbent to demonstrate beyond a shadow of a doubt that the network is indeed strained, and that such strains aren’t the result of poor management, investment, or technical configuration.

If it turns out that the incumbent is responsible then they should pay for the audit and be required to meet contractual service demands that were offered to partners and be prohibited from engaging in predatory pricing in the future. Congestion is now a particularly tired big-bad-wolf, and it’s time that ISPs that call wolf are actually forced to demonstrate, in peer-reviewable empirical terms, that the wolf is actually at the doorsteps or ravaging the sheep.

Categories
Links

Wireless Interference and Smart Meters?

Apparently folks in the DSLReports Forums are reporting some issues with their new smart meters:

Users in our forums direct our attention to claims that at least one small WISP has had their service put out of commission due to electric utility smart meters operating in the 900 MHz band. We’ve previously noted how utility smart meters are interfering with residential Wi-Fi routers, and we’re seeing agrowing number of complaints about the meters interfering with other residential gear as well. The solution from utilities so far appears to be the hope that all consumers migrated to 2.4GHZ and 5.8 GHZ bands so they don’t have to change. However, some smart meters also use the 2.4 GHz range.

I hadn’t really considered interference as one of the issues with smart meters – most of my time has been spent looking at the privacy, payment, and security issues that these meters have exhibited over the past decade – but I guess I shouldn’t be surprised. If consumers are being forced to adopt the next-gen electrical surveillance kit I have to wonder: can at least negotiate for a free router to go with their electrical update?

Categories
Links

Sony’s Smartgrid Micropayment System

Sony is promoting a product concept: smart electric outlets that enable micro payments and authentication for energy usage at the device level. As described by The Verge:

Sony is developing power outlet technology that uses IC chips to determine a user’s identity or permissions. Possible use case scenarios include managing energy usage in large buildings, device theft prevention, and — yes — the potential for paid access to power. Sony says it expects the technology to be employed in cafes, restaurants, airport waiting lounges, and other public places. The outlets have an IC chip built-in, and send authentication information down the power line itself — this can come from an IC chip built into the plug, or potentially inside an NFC-equipped device or payment card.

This isn’t a surprising new concept – contemporary ‘smart systems’ are largely sold on these kinds of logic – but it’s telling that we would be moving payment and identity authentication into integrated ICs on the devices that we use in daily life. I’ll be incredibly curious to see the threat models and risk assessments associated with these next-generation smart systems: if they are deployed as imagined, payment security and electrical privacy issues would be incredibly serious, and challenging, issues to adequately address.

Categories
Links

Tracking by GSM

From Ars Technica:

The attack works by exploiting features in GSM, or Global System for Mobile Communications, cellular networks that transmit data sent between base stations and phones in clear text. By simply calling the target’s mobile number and monitoring the network’s radio signals as it locates the phone, the attacker can quickly confirm if the person is located in what’s known as the LAC, or Location Area Code. Attackers can use the same technique to determine if the target is within close proximity to a given base station within the LAC.

This is helpful for figuring out where, in a specific geographic area, a person is or (in case you’re interested) where they aren’t. This latter use – clarifying that a person isn’t in a specific LAC – is particularly useful if you are launching some action that is made easier by a person’s non-presence. (Hint: Think burglary).

This new GSM attack builds on other research around monitoring a person’s location by exploiting mobile phones. For a good overview of the information used in similar kinds of surveillance, see Claudio A. Ardagna et als. chapter in Digital Privacy: Theory, Technologies, and Practices.