Archive for the 'Security' Category

Stunning Privacy Breach by AOL

Sunday, August 6th, 2006

By now you’ve probably read about the astonishing breach of privacy in which AOL posted the supposedly “anonymous” search records for 500,000 users over a three month period.

You can read more at:

siliconbeat , techcrunch , digg , reddit , and zoli’s blog

Most of the comments on these sites point out the problem of people entering personally identifiable information searches – the idea being that if people searched on topics that might identify them, then also search on topics that are embarrassing or illegal, the database effectively becomes a map to prosecution, blackmail, etc.

What most of the posts and comments miss is that the situation is even worse. Each search request also includes a very accurate (to the second) timestamp. So all the government would need to do to identify someone is to match up a couple of requests to a government owned web site by IP address and time (one can assume that while a company like Google might protect users privacy, government owned web sites probably won’t).

So, to use a hypothetical example: if someone searches for how to pass a drug test, and you find the same user paid a visit to the Department of Motor Vehicles and maybe a court site, it wouldn’t be too hard to pull the logs from those sites and see which IP address visited both at the times specified. Presto – you have some pretty solid evidence what that user is up to, and a map of their searches (who knows what else it might turn up). Plus, since you now have their IP address, you can (as a tech savvy prosecutor), subpoena their records from their ISP you now have some solid identification.

Aside from a gross violation of trust on the part of AOL, this represents a threat to the very future of the Internet. If every search you perform becomes part of your permanent record, how will that impact search?

One thing is clear – AOL cannot be trusted. This is too great a mistake to just brush off. Google has shown at least a willingness to protect user’s information, going to court to protect exactly this kind of information. I don’t know Microsoft’s stand at the moment – if anyone has information on their record please feel free to comment.

The Great Cyber Security Debate Between John Kerry and George Bush (that never happened)

Wednesday, October 6th, 2004

Moderator:

The topic of tonight’s debate is security. Because this debate is fictional, both candidates are permitted to ask each other questions directly. There are no time limits. If a red light starts flashing quickly, it’s probably your hard drive light and indicates that your computer has been hacked and someone is downloading your last ten years worth of tax returns.

Our first question is to President Bush. Mr. President, there is some concern that your administration has not paid enough attention to the issue of cyber-security. How do you respond to this?

Bush:

We’ve been working hard. Very hard. On cyber-security. Securing the Internet – it’s a hard thing. But we’re making progress. Since 9/11 we have had not one, not two, but three different cyber-security chiefs. In fact, our most recent one, Amit Yoran, just resigned this week, leaving an opening for a fourth chief!

Kerry:

I have a clear and consistent vision on cyber-security. It’s a four step plan. First, we’ll give our cyber-security chief some real responsibility and funding so he can make a real difference. Second, I’ll have the department of education require that computer security education be part of every classroom in the country where a computer is used. Third, I’ll make sure that our own government agencies are secure. Fourth we’ll work with allies around the world, employing a global test to shut down the phishing attacks coming to our citizens from other countries. Fifth, we’ll start a national campaign to educate all our citizens about how to protect their computers.

Bush:

The American people want a president who is consistent and decisive. Not one who flip flops. First you say you have a four step plan. Then you have a five step plan. What hacker will be convinced to stop hacking by a president who can’t count? My plan is a real plan. We stopped the legal action against Microsoft, leaving them free to innovate. That’s the American way. Innovation. We won’t let the government use open source – people contributing to a common code base? That’s communism.

Kerry:

The job of government isn’t to protect Microsoft from open source. It’s to protect citizens from spyware and identity theft. It’s to prevent cyber-terrorism. It’s to protect people’s privacy. People should be free to use whatever software they want. People should have the right if they buy a CD or DVD to play it on any operating system or device they own, without fear that they will be sued by a large corporation.

Bush:

We need true tort reform, to stop the trial lawyers from suing the large corporations and driving up prices for everyone. What kind of candidate chooses a trial lawyer to be his vice presidential candidate?

Kerry:

We need true tort reform, to stop the corporate lawyers from suing individuals and scaring the s**t out of everyone. What kind of candidate chooses… oh, what’s the use.

Bush:

We need to protect the core values of this country. American values. Values held by real Americans. Look at this (he holds up a book). “Always Use Protection” What kind of name is this for a security book for teenagers? It’s immoral. The only real answer is abstinence.

Kerry:

Mr. President: You’re protecting large corporations and their right to control the way individuals use technology. Your cyber-security efforts have been mostly exercises in under funded turf-building. And now you suggest that the best way to secure computers is to not use them? This country needs new leadership. We need a hacker in chief. Someone smart enough to create a fake document that could fool a national news network….

Moderator:

This concludes our fictional cyber-security debate. Please join us next week when Dick Cheney and John Edwares debate the relative merits of the MSN Messenger and AOL Instant Messenger Services for spreading misleading statements about the opposing candidate.

The Future of Computer Security: A Question of Analogies

Wednesday, September 29th, 2004

Friday I expect to be on a panel at Gnomedex called “The Future of Security.” In preparation, I’ve been putting some thought not so much into the future of security, but into how we even go about figuring out that future.
Let’s start with some basic facts – the axioms of security if you will:

  • There will always be “bad guys” who try to break into systems, write viruses, steal, etc. They’ve existed throughout history, and there’s no reason to expect them to vanish from cyberspace.
  • Technology alone will never provide perfect security. Every walled city ultimately fell. However, technology may, for a while, provide “good enough” security.

The challenge with predicting Internet security is that the Internet is a new phenomena. We don’t really know where it’s going or what it will be like in 20 years. Even though we are in some ways better off than those who pioneered the Internet, because we’re at least paying some attention to security, that is offset by a huge increase in complexity (and complexity is the enemy of security).

In predicting the future, we try reaching for analogies from the past. But in doing so it’s sometimes tough to choose the right analogy. For example: those who expected “nation building” in Iraq to be analogous to post WWII Europe seem to have been woefully mistaken.

There are two analogies that I currently find useful in thinking about Internet security. One is inspired by the information superhighway, a term has lost some of its popularity but remains useful. In this analogy, the original ARPA-Net was the equivalent of dirt roads. Visitors rode primitive Model-T vehicles, at relatively low speeds. There were few accidents, no seat belts and no drivers ed.

As the highway system grew into its modern form, accidents became more common. Society dealt with this in two ways – using technology to make both cars and highways safer, and instituting strict requirements for drivers education. Even so, accidents still occur in huge numbers, but we’re presumably better off than if nothing had been done.

On the information superhighway some work has been done on safety features. Computers have antivirus tools and firewalls available, though like seatbelts they are optional and not always used. ISPs are adding security features to the “highway” itself. But we have no equivalent to driver’s ed – any clown can buy a system and get on the highway without learning a thing about security. I’m not suggesting we legislate computer security classes, but I wonder – what if a major ISP like AOL raised their prices $5 overall, but offered a $10 discount to anyone who passed an online security quiz?

The other analogy I like is the biological analogy. It’s not a new one – many elements of computer security are named for their biological analogs. The security implications of this analogy suggest that computer security is not a problem to be solved, but a chronic condition. That spam, viruses and hoaxes are destined to become a permanent part of the Internet that might, like today’s bacteria, even have beneficial results (I know of people who have cleaned up a severely infected computer by just buying a new one – which is presumably good for the economy). The book “The Shockwave Rider” portrays an Internet that follows this model, with some surprising consequences (it’s a great book and I highly recommend it). Of course this analogy has its disturbing sides – everyone dies, after all.

I’m looking forward to seeing what my fellow panelists think about the future of security, and if there are other relevant analogies that might work. I’d be interested in hearing your view either here, or even better, if you’re at Gnomedex please introduce yourself and let me know what you think.

Hurricane Ivan and the X-Rayed Water Bottle

Saturday, September 18th, 2004

The other night I was watching the Hurricane Ivan show on CNN. It consisted mostly of newscasters standing in the rain and wind right outside of their hotel room, while waiting for a large planter to blow over (I’ll avoid comment about reports being smart enough to come out of the rain, and observe that the individual covering Hurricane Ivan for Jon Stewart’s Daily Show also stood in blowing mist – outside a carwash – thus fulfilling the journalistic obligation to be soaked while reporting on a storm).

Today, on my way to a conference in Germany, I saw someone carry a clear plastic water bottle through security – only to have it taken back through the metal detector and run through the X-Ray (I confess to being at a loss to imagine what an X-Ray might see in that bottle that we couldn’t).

This got me thinking. We all know that we’re spending lots of money to defend against terrorism and to X-Ray water bottles. About 40 billion in 2003 (not counting the war in Iraq, whose relationship to homeland security is an interesting question in and of itself). I wondered how it compared to what we are spending on various other threats – like hurricanes.

This is certainly a bad year for hurricanes, though we don’t know yet how much they’ll really cost. But looking at NOAA data, it looks like hurricanes and other storms typically cost 5 to 10 billion each year. Hurricane Andrew in 1992 was 27 billion (about the same as the direct costs of the 9/11 attacks). The NOAA budget is about 3.3 billion – that’s on all their activities, not just hurricane and storm tracking.

Terrorism though is worse than Hurricanes though. Why? Perhaps because it can strike at any time without warning.

So let’s consider earthquakes – they also can strike at any time without warning. I’m a California boy, and I got to ride the Loma Prieta quake (and trust me, “ride” is the operative word). That one cost about 6 billion. The Northridge quake cost 20 billion. The USGS annual budget is about 1 billion, of which 100 million or so goes to earthquake and volcano research and prediction.

But Terrorism is worse than earthquakes. Why? It kills more people (and why are we talking damage costs when lives are at stake anyway?)

World wide deaths from terrorism have been running under 4000/year (though increasing). The 9/11 attacks cost 2700 lives. Definitely more than have been killed by hurricanes are earthquakes (at least in the U.S.)

So let’s consider traffic accidents. In 2003 there were 42000 traffic fatalities in the U.S. (2.9 million injured). That’s more than killed by terrorism in the past decade. How much are we spending on high way safety? How does 3.6 billion sound?

But terrorism is worse than traffic accidents. Why? Because it has a greater risk of mass casualties due to possible use of weapons of mass destruction. But how much of that 40 billion is going towards controlling spread of nuclear weapons and detection, prevention and preparation for biological attack? I can’t help but wonder if that 40 billion is really being spent wisely.

There are some other things I wonder…

For example: I recently read that Afghanistan has become a leading export of Heroin and other drugs (70% of the world’s opium comes from there). I realize that the war on drugs has been preempted by the war on terrorism, but still, it’s hard for me to see that hunting for Bin-Laden is incompatible with getting a country out of the drug business.

And it does seem curious that Iraq seems to be developing into a new home and school for terrorists. I mean, freeing the Iraqis from Sadaam Hussein is all very nice, but exactly how did that make us more secure?

Anyway, these are some of the questions I’ve been wondering about. Not that I have any answers, but it did lead me to one thought I’d like to leave you with. Virtually all of the political discussion has related to Bush vs. Kerry as individuals (and what they may or may not have done 30+ years ago). Let’s remember that we aren’t just hiring a president – we’re hiring their staff. If you rehire Bush you get Cheny, Rumsfield, Ashcroft, Rice and maybe Powell in the bargain (it’s not clear if Powell’s staying on) – not to to mention the likelihood of a Supreme Court justice or two. With Kerry you get… Hmm… who do you get? Hopefully we’ll hear soon.

Ok, I’m out of questions. It’s raining outside, but I’m safe and warm in my hotel room, drinking water from a nice, safe, thoroughly X-Rayed bottle.

(P.S. it’s not really raining outside. That part is poetic license).

Sources:

National Oceanic and Atmospheric Association (NOAA).
Center for Contemporary Conflict – U.S. Navy.
Centers for Disease Control and Prevention (CDC).
U.S. Geological Survey (USGS).
US Department of Transportation.
Congressional Hearing: Afghanistan Drugs and Terrorism and U.S. Security Policy Feb 12 2004.

Scams and Quotes

Friday, September 3rd, 2004

This week I was quoted in an SD Times story about 64 bit Windows. In it I say:

“Migration to 64 bits is likely to be slow, as is migration to any new technology. What’s more, delays of major products from Microsoft are common, so it’s hard to get excited about them.”

Now, for the record, I was not misquoted. Nor was this taken out of context. However, also for the record, I’d like to include the remainder of the quote that was not included in the article:”

Not only are delays on major products common, but as an industry we would much rather Microsoft take the time needed to “do it right”, and make sure the technology is secure and reliable, than to rush something out the door.
Kudos to Microsoft for having the discipline to wait until it’s truly ready to ship.

Now, on another note. I saw the most remarkable phishing email scam today. The misdirected link was subtle and hard to spot in the message source code, even when I knew what I was looking for. I wrote up a description of this IE specific attack at alwaysuseprotection.com. Visit the page using IE – it’s a trip.

Why Microsoft should not build antivirus protection into Windows

Monday, August 23rd, 2004

Most people in the technology field don’t realize how truly awful it is out there with regards to viruses and spyware. I’ve been traveling around the country promoting my book “Always Use Protection: A Teen’s Guide to Safe Computing,” and the stories I’ve heard are horrific. People are truly learning to hate their computers.
A recent blog in the Scobleizer is but a small example, but one of the comments that suggested Microsoft build in anti-virus capability to Windows is way off.
Having Microsoft build anti-virus protection into Windows would be a disaster.
Let’s ignore the antitrust issues. Let’s even ignore the question of whether Microsoft can be trusted to build a good antivirus product.
Right now there are a decent number of antivirus vendors. The competition among them is helping improve the overall protection of antivirus products. More important, the variety makes it very difficult for a virus/worm to target all of them (remember – viruses love to disable antivirus programs).
What would happen if Microsoft included antivirus protection in Windows?
It would immediately suck a huge amount of the revenue that antivirus companies use to survive and use to develop their products. Even if vendors had a better product, the vast majority of people would just stick with the built in antivirus program. The Microsoft antivirus program would quickly gain a dominant market share. We’ve seen that story before.
Not only would this reduce the competition that drives improvement in antivirus programs, it would create a huge juicy target for viruses. Just as most viruses now target Internet Explorer, most would target the built-in protection. Computer security is far too important to take a chance on this. Microsoft took the right approach with XP SP2, checking to see if an antivirus program is present. They should continue with this approach.

RSS feeds for sites referred to in this item:
Scobleizer

The Always Use Protection Quiz

Tuesday, August 17th, 2004

I’ve started seeing all sorts of interesting comments since my interview with Robert Scoble was posted on channel9.msdn.com. Many of the comments relate to the quiz I have posted at AlwaysUseProtection.com. Some of the comments are thoughtful. Others provide fascinating insight into the biases of the reader. I’ll be using this post (which I’ll update periodically) to respond to the most interesting of these posts.

Readers at PHP Everywhere wonder:

  • What are the FTC surveys on teens suffering from identity theft?
    Answer: They don’t ask that question. There’s rarely money involved in the kinds of identity theft teens suffer from (and the FTC, being the Federal Trade Commission, is focused on financial issues). So until some grad student looking for a good thesis does a formal study, I’m afraid my numbers are the best I have. I feel comfortable using them because the numbers I’m seeing are so high (over 30%) compared to the identity theft numbers for adults (under 5% in 12 months, which is still very high).
  • I have some sort of financial motive by claiming free antivirus programs aren’t good enough.
    Answer: Anyone who asks this is missing the real point of the question. The key idea is that periodic scanning for viruses is never good enough. You need real-time scanning, and to my knowledge at this time none of the free scanners include that feature. As soon as I find one I’ll remove free from the question. Also, I don’t work for an anti-virus company.
  • Cookies are a threat to privacy.
    Of course they are! And occasionally a stupid web site will include personal information (such as user ID and password) in the cookie. But most sites don’t. The point of this question is to encourage people to understand what cookies really are and the kinds of threats they pose from minor (obfuscated first party cookies), to more significant (obfuscated third party cookies), to serious (cookies that contain personal information).

Readers at channel9.microsoft.com wonder:

  • If I just wrote this to plug an area of the market that is otherwise unplugged (under 20’s) – the implication being it’s just for the money.
    Well, yes. Obviously if there had already been other security books for teens I wouldn’t have written this one. I would have just bought that book and handed it to the teens I know who need it. But any author will tell you that writing books nowadays is one of the least profitable ways to spend your time.
  • You play fast and lose with the terms virus and worm:
    You bet I do! The difference between them is important to security professionals and those who are by nature precisionists (or anal retentive). From the perspective of a home users, viruses, worms and trojans all fall into the class of “bad things that a good antivirus program should clean or remove.” Spyware and Adware fall into the class of “bad things that you may need a spyware/adware tool to remove because many antivirus programs won’t catch them”. That’s why in the book, once I explain the difference between them, I tell readers that I’ll just use the more generic term “virus” throughout the rest of the book.

More to come…

RSS feeds for sites referred to in this item:
channel9.msdn.com
Scobleizer
PHP Everywhere