Tag Archives: security

More than two sides, the complexity of a story

Posted on by

In a lot of my writing, I typically focus on one aspect of the story. For example, with my writing about Ferguson I really focused on the wrong that I believed the police were doing. I didn’t really touch on the violence that the protesters were doing to the community (contained to the first few days) or the violence they were committing on the police. I didn’t ignore it personally, or as I was thinking about the articles, I just didn’t want to discuss it because it didn’t fit with the story I was trying to outline. That’s perfectly fine. You can’t fit everything into any given story. However, that doesn’t mean that omission was support of the actions of the protesters. I abhor their behavior and I think that it really negatively impacted their message. 

The past few days, we’ve had some pretty serious leaks. Over 100 celebrities have had their nude images leaked. The suspected culprit is iCloud. The iPhone, like most Android phones have the option to automatically backup your photos to a storage unit online. Apparently, there was a vulnerability in an application called Find My Phone, which allowed a person to try as many times as they wanted to access an account. What this meant was that brute force methods for cracking a login for an account would work eventually. It might have taken days or longer for whatever algorithm was used to crack the logins, but eventually it would have worked. There’s no way for it not. Essentially, the approach would run through as many permutations as possible for the login. furthermore, it could have actually been run concurrently on multiple different systems to test in parallel. It’s pretty horrible that someone was able to sneak into iCloud and steal these pictures, however, it’s also incumbent on the users of these systems and the owners of the systems to ensure that these simple lapses don’t happen. 

The users of these services bare a responsibility for understanding what is happening to their data once it leaves their phones. This is a requirement for any user, not just the famous. The famous likely should have someone help them with their security features, as it’s unlikely that many of them have the desire or knowledge to do it on their own. Not that this is any different for much of the rest of the population. They are as vulnerable as the famous, but aren’t a target simply by being uninteresting. 

In both cases, it’s fully acceptable to be upset by both sides of the story. It’s not impossible to say that police violence and militarization is bad and that the criminal element of the Ferguson protests is bad too. It’s also fine to say that you shouldn’t hack and that the people that develop the systems and use the systems are accountable as well. In most of our stories, there are complexities that are withheld or ignored because there is an angle the writer is going for, the story would take too long, or the writer has a low opinion of the readers. In my case, I was going for a specific angle with the Ferguson stories, because I assumed that it was obvious to the reader that the violence committed by the protesters was both known and understood to be a terrible wrong. Not mentioning it did make the police seem less rational than they were behaving though.

In the case of the leaks, most of the attention has been put on the leaker and the people enjoying the leaks, however, it’s important that we keep in mind that there’s a responsibility of the companies to keep that data safe. 

Sponsored data and YOU!

Posted on by

This could be your lucky day, your cellular provider is going to start offering packages where certain content doesn’t cost you anything in your data cap. This is awesome. You can start streaming more and more video/music/whatever it is that you stream from your favorite services. However, not all of your favorite services will be free of data charge! So make sure that you tell your favorite service that YOU want THEM to sign up and make their content data cap free to you! All those service providers have to do is pay your cellular provider money to stop the data caps! No, seriously, AT&T wants to do this.

Is this a problem? I think it depends on who you are. For a consumer in some cases this is pretty awesome. Let’s say you love to watch video games being streamed on Twitch.tv by your buddies over at KBMOD and Twitch decides to pay money to prevent your data from being charged against your data cap. But you’re also a huge fan of MLG and MLG just decided to start their own Twitch competitor but they can’t afford to pay those same fees. Well, guess you’ll be only watching MLG from your PC or on wifi. Too bad your favorite shows are on while you’re not able to use Wifi though! O well, Twitch is there for you though!

This is a niche market obviously. Not everyone cares about watching someone play streaming video games or even streaming video games to your phone so you can keep playing a game you were playing from home. A lot of people care about TV and movies though. We can look at this as something that’s really analogous to what Comcast was trying to do to Netflix close to two years ago. In April of 2012 Comcast announced that its Xfinity streaming service would not be charged against your Comcast data caps while Netflix streaming service would be. Netflix’s CEO argued that this violated Net Neutrality because it provided preferential treatment to one source of data over another.

What is Net Neutrality? Well, there are two different arguments, which I discuss in a blog here, where one is saying everything must be treated equally, while the other one argues that there are nuances and we can treat data differently because we need to “Groom” our networks. Internet and network purists believe that you shouldn’t even be able to determine what the data is or what the source of that data is if you’re a point along the network, just where it most recently was and where it needs to go next. The only application that can read the data in the package is the application that requested it.

AT&T’s plan, similar to Comcast’s, is in violation of Net Neutrality and the FCC will step in to regulate this type of “service” because it’s, in the end, bad for the consumer. Unfortunately, there are limitations to what the FCC can do and even potentially what AT&T can do.

There has been much more of a push for encryption and it’s likely that these pushes may actually enable more of a return to the true meaning of Net Neutrality. If all of our data is fully encrypted, deep packet inspection tools (which tell if the data you’re getting is video, music, or whatever), won’t work very well as that information will be encrypted. Furthermore, if your application’s data is all encrypted and AT&T won’t be able to tell if your data is your data then there’s no value in paying for “privileged” data status from AT&T.

It’s one of the reasons why I’ll likely support company’s like Wickr, an encrypted Snapchat competitor, which told the FBI to screw itself when they were asked to put a backdoor into their encryption. It’s important that we work to protect our data and support companies that do so in terms of Net Neutrality and encryption.

What companies do you support that encrypt and fight for net neutrality?

Goofy Stock photos might not be so silly any more

Posted on by
Silly Stock photo

@NFEN and @Cheddarchezz having a conversation about “hacking”

I just saw a few people that I follow tweeting about trying to take over Youtube. There’s a Meme on Youtube right now that’s been going on for a while as a form of protest over some of the recent changes to the comment policy, copyright policy, integration with Google+ and probably a litany of other issues. To the gaming community Youtube is a dying platform.

What struck me about the conversation wasn’t really what they were talking about, but the stupid stock photos that are supposed to represent “hackers’ breaking into a network. For some absurd reason stock photography companies almost always put them in the same outfit they’d be wearing if they were breaking into a house, mugging someone, or doing some other nefarious activity. Clearly it’s just a ploy to help people understand that the person using the computer is up to no good, but it just looks ridiculous as almost no one wears any of those clothes while using the computer. So instead of making it look like a criminal it just make it look like an idiot. However, I think that with some recent revelations about the FBI and the hacking process called “RAT” these imagines are looking less absurd. Not that I’ll go out and buy clothes like this to work at my computer on.

One of the more recent Edward Snowden revelations has to do with breaking into personal computers by the US government. This isn’t really shocking, nor is what they do when they are on the computer. The FBI has admitted that they have the capabilities to hack into your computer and activate your webcam without turning on the indicator light. These capabilities aren’t new. In fact Ars Technica did a report on this in the kiddie hacker community called RAT. I imagine that some of the tools that my friends used to use while we were in highschool to remotely open a CD drive or type messages to each other operates in a similar fashion.

So, if you are hacking a computer does it make sense to take precautions against showing your face? It might or as the Ars article suggest, just cover up the camera.The difference is that you don’t know if you’re under surveillance or not. It’s also not clear if the FBI only means laptop webcams or if they are able to do the same to a smart phone or tablet. As the ACLU mentions in one article “we’ve never had discussion” about law enforcement hacking into computers. This is part of the reason there was a petition for We the People to update our privacy laws. Regular mail and packages are protected by the fourth amendment while email is not. Using a web cam with or without a web cam constitutes a much larger breach of privacy than just taking pictures through the camera. It’s likely that with access to the webcam the entire computer is open to the FBI, which means that a warrant for a web cam is a warrant for everything you do. If you have services that you’re always logged into like Drop Box or Tresorit those are also accessible through the computer you’re cam is being used on.

We need to have a conversation about the limits of searching and privacy. I don’t want to sit around in a ski mask or cover up my webcam. Users likely need to install firewalls, more passwords, and disconnect from services they aren’t actively using.

Book review: Consent of the Networked by Rebecca MacKinnon

Posted on by

I just finished Consent of the Networked today. This title, of course, is a play on the idea of the consent of the governed. Where governments are only able to govern with the express permission of the people it governs. We have seen recently with the Arab spring that it is possible to reject the govdrnment and show that the governed do not consent.

The book starts with a discussion of how the internet is different than traditional governments. As, most people are aware the internet is international, operated by many different actors including individuals governments and companies, and is not has some of its own rules and norms which are different than the physical world.

Because of the diverse set of stakeholders for the internet the way we (an average person) is different based on the country you live in, the network you are using and the relationship between your government and businesses from other countries. Then toss in advocates that use the internet to promote democracy (or are progovernment) and human rights experts and we have a very messy situation that will likely lead to more and more conflict.

Some of these conflicts are unsurprising, such as countriess like China, Iran and prefall Egypt and Tunisia want greater and greater control of their internet and networks. Which the US State department doesn’t want and puts the countries in great disagreement over the future of the internet. However this is not the only source of conflicts. There is conflict in the US itself.

The State department is pushing for more circumvention tools and techniques to make it possible to get around firwalls. TOR is one of these I’ve talked about in the past. However, the US legislature is pushing for more control and better access to what data is flowing and ways to block it. These laws, SOPA, PIPA and now CISPA all attempt to contol the internet in the name of IP or cybersecurity. However, they are methods that allow censorship and control over the internet. The US is not the only country implementing these laws, the UK has and the EU parliment is still considering ACTA.

MacKinnon also indicates that these actions help to validate countries like China. In some cases the support comes from artists like Bono or the RIAA when they say they want the same abilities as China for blocking access to content. However, the laws can only do what companies are capable of providing to governments and consumers and other agencies.

Copyright laws would be useless if companies had not created ways to inspect data and then stop the transfer. Some of this comes in tne form of filters and blockers for parents. These can be applied at the national level. Cisco and other major western comoanies provide equipment through sales to countries like China for the firewalls and censorship abilities.

These are not the only way businesses are complicit with repressive regimes (in many cases the equipment is essentially off the shelf), MacKinnon also describes the cases of Yahoo and other companies where they hand personal information over to the regimes. In some cases this has led to death for the person whose information was requested. Of course this isn’t just in China, but the same companies hand data over in the US and other democracies.

At this point human rights groups and other rights groups have become more active around the world on matters of the internet. A large portion of her book deals with these problems with through a human rights perspective. I believe that this is a good way to look at these problems. This levels the field across socio-economic levels. It begins with the assumption that protection of data should be universal. It frames the perspective that she argues for netizens to engage and to be active in address these issues.

She argues that we can’t expect the next CEO of Facebook to be benevolent as Zuckerberg has sort of been. The netizens need to pressure companies and governments for better clarity of what our data is being used for, how long it is stored and why it is collected. This important, because we “consent” by clicking I accept without reading and with no control over a change in contract. Anger at changes Facebook has made lead to changes, so as a group we have the ability to effect change at companies. We have also seen what collective action can do to government in light of the SOPA and ACTA discussions.

These matters are important because they affect all of us. This book does an excellent job explaining what is at stake. It provides a perspective from the developing world and the people under dictatorships. It highlights the fine line we are currently treading and that countries like the US and UK could easily slip from democracy into digital dictatorships where the views of a select few are paid a great deal of attention and the rest are ignore and censored.

Over all i give this book 4/5. At times the book was somewhat repetitive but it was to ensure the point was made. This book should be read by any cyber activist, developmental scholar and student of dictatorships.

Owning your data

Posted on by

Yesterday Facebook and the FTC came to an agreement on privacy settings. This will require Facebook to undergo privacy audits twice a year by a third party firm. In Europe Facebook users are already able to download their data as I mentioned in a previous post. I think we’re living in an age where users will need to be well educated on the impact of the privacy policies of websites on the users personal data. However, how can we do this? I personally never look at the privacy policy on a website. Why? Because I don’t really trust them. Effectively, just by going to the website I agree to these policies and effectively whatever is stated in the privacy information I’m bound to. However, I have to go to the website before I can read it, thus creating a catch-22.

If I did disagree with something written in the privacy policy, I’ve already agreed to accept their terms and if they said “we’re going to steal all your cookies and sell them for profit” and I object to that it’s too late. They already did it.

This puts us users in a bind. We enjoy the benefits of cookies. We don’t have to always remember our passwords, we automatically get logged into our favorite websites. Personal settings pop up as soon as we log in. There are plenty of benefits from using cookies. We lose all of these as soon as we use services like Incognito from Google Chrome. Some of my readers have commented that they have switched to using an Incognito window, but it’s much more of a pain to log into Facebook and they have actually started using the service less. In terms of Facebook to compensate I use TweetDeck which pulls my news feed from both twitter and Facebook. However, it doesn’t get everything including messages from friends, which is annoying, but not the end of the world.

To deal with these privacy issues, the EU is proposing a pan-European standard for privacy policies that a website has to get approved. Companies like Facebook are actively fighting against this rule. I think that this is a great step. I know a lot of people don’t like new government regulations. However, in this case the public is woefully uninformed and find getting informed on these topics cumbersome. A lot of money is being made off of people’s ignorance. Now, many people would say that’s their fault for not properly investigating this topic.

There are a few resources out there to help with getting a better understanding of how to protect yourself. The EFF has an entire section of their website devoted to privacy issues. The ACLU has a Technology and Liberty section which includes topics like privacy.

So why should we care about this? If you aren’t doing anything wrong you don’t have anything to worry about. I’m sorry, but this is a really naive way of looking at privacy issues. Some of you readers out there have fences in your back yard. Many of them are called privacy fences, if you aren’t doing anything wrong why do you have a fence? Others will have a safe to store valuables and important documents, why do you need a safe, if you aren’t doing anything wrong you shouldn’t need a safe.

Putting this into a physical context highlights the absurdity of the not doing anything wrong argument. It also highlights the differences between privacy in the physical world and in the digital world. It’s really easy to understand how to increase your privacy at home build a fence, better curtains better locks, bars on your windows etc.. Fixing privacy on your computer is much more difficult. Security experts have tried to make things as simple as possible by using names like Virus scanner, Firewall etc.  Most people don’t really know how to use these properly.

Adding a Firewall to your computer can make using it difficult and clunky. Services that you use frequently suddenly stop working correctly and it’s not always obvious why at first. There needs to be a movement within security companies to make everything as simple as possible for the broader population. There should be advanced settings for the people who really want to control their data. Basically we need the firewall to turn into a fence for most people but with settings to turn it into the Berlin Wall if an advanced user wants it.

All users need to understand the risks, just like they need to understand risks of burglary, they shouldn’t need to be a security expert though.

Other potential resources (I have no idea if they are any good, I just searched for privacy resources)
http://www.privacyresources.org/
http://epic.org/privacy/privacy_resources_faq.html
https://www.privacyinternational.org/article/ephr-privacy-resources