creeva

Originally published at Creeva's World 2.0. You can comment here or there.

Image from here

Everyone else is writing about network neutrality today (here, here, and here), so I’m jumping on the bandwagon.   Actually I meant ot write this last night, so since I’m slow and lazy the others beat me to the punch.   Late last night I saw the first posts about Google’s MeasurementLabs sneak across the RSS feeds.  What the tools you can get from that web site do is find out if your ISP is doing any funny stuff to your internet data.

I highly recommend so they can get the broadest picture possible running these tools.   It makes you a good Internet neighbor.

Originally published at Creeva's World 2.0. You can comment here or there.

Image from here

The other day I was browsing Craig’s List and noticed a listing for some free software.   It wasn’t anything I was interested in, but I did stop an think about it.   We talk about all the time about verifying where you download software from.   We hear all the time about pirated software that looks the same as legitimate software.     So why would you take free software from Craig’s List?

I guess this is just more an observation.  I’m just pointing out common sense that people should be thinking.  I’m just trying to point out that there is no such thing as a more trustable anonymous source.   It would be easy to compromise a computer by offering free software on Craig’s List and manipulating it before handing it out.

I’m not saying not to take - just think twice.

Originally published at Creeva's World 2.0. You can comment here or there.

Image from here

While I don’t really blame NYPD from wanting to evolve and learn from other terrorists attacks, I think they are very short sighted in the idea of  blocking cell phone service in a terrorist attack.   I first read about this story on a Wired.com blog entry, I thought how asinine an idea just reading the headline.

The historical aspect where they are working form is the terrorist attacks in Mumbai that happened last month.   The terrorists used cell phone networks, GPS, and anonymous e-mail to coordinate their attacks.    The NYPD think that if they shut down cell phone coverage in the Big Apple terrorist cells  won’t be able to coordinate attacks in the big city.  There are a few things that they don’t seem to be aware of.   Terrorists are smart in most cases, citizens are ignorant.

We already saw in the Sept. 11th attacks the panic that is caused by the loss of cell  phone service.  If there is another large attack, normal people in NYC will panic, since the communication infrastructure was supposed to be strengthened post 9/11.  If they can’t reach their loved ones, if there isn’t a way to get news in and out, people will panic and make the problem larger then it would be otherwise.   This is just how the normal citizens would react, what about the terrorists.

Well this news has made it to the web, so terrorists can now plan for this eventuality.   They can now be ready to act if their cell phones are blacked out.  Also NYC is the land of open wi-fi hot spots.  Anyone with and sense could easily work with a wifi phone or a laptop and still have communication with one another.   So the next thing they would have to look at is blocking out cellular coverage and all internet access in and out of the city.   This is also if they are not coordinated ahead of time.   This is all a smoke screen to give teh police more power then is needed.

Remember -  “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” ~ Ben Franklin

Originally published at Creeva's World 2.0. You can comment here or there.

Picture from here

A couple news sources are reporting today (here, here, and here) that the LA Times is suspending their program of using a wiki for editorials.   Now in a controlled environment like Wikipedia where they have the volunteers to handle un-authorized edits, wiki’s can be a great thing.   In the hands of exposing your edits to the audience of a major newspaper - I wouldn’t have gone that route.

What they were finding is that people would make their own slant on the editorials - such as changing the word abortion ot the word murder.  They also were inundated with spam and porn ads.   Sounds like they didn’t have the best idea on the onset of setting up a wiki or properly staffing what would be a high profile use of the technology.   This is technology that is meant to be changed and updated.   That ability alone has made some people suspect of Wikipedia.   Newspapers are dying out in America - but this example shows why such high profile companies can not hand the keys to the car to just everyone asking.   Citizen media has it’s place, but old media shouldn’t be attempting to tag it on without understanding hte consequences or the work involved in maintaining it.

I wonder if anyone got fired?

Originally published at Creeva's World 2.0. You can comment here or there.

The recent twitter phishing scam had non twitter users scratching their heads on why this service would be targeted for a phishing scam at all.. Most people view little or no monetary value to twitter accounts. For most people this may actually be true. For people like Scoble or companies that promote themselves over twitter, well the brand name damage caused by a hijacked twitter account could be quite costly.

One of my friends on twitter had a reply about this issue (I’m assuming the other person didn’t realize the long tail potential impact (yes I used the term long tail - get over it)). What I saw was this:

@jeremyasmus could be any number of reasons, spread malware, spam, get passwords, us humans tend to use the same password over and over.

This is the crux of the issue isn’t it? The problem isn’t average user with nine friends directly, it’s the large power users and the passwords for other services. Let’s look at each of these.

Let’s say you are Scoble and your account get’s hijacked. Scoble has a level of trust built from himself, he is known to get the inside scoop on information, people click his links. Scoble has over 47,000 followers. If his account was hijacked and ten percent clicked a link that was really a malware installer - that would be 4,700 people infected within a matter of minutes. I think however the number of Scoble followers would be much larger probable in the 50-60% range. For a malware distribution this is a great return for the time frame, with the added benefit that you may get some other high profile names in the attack.

The cost to deploy such an attack is extremely low - under ten dollars, while the net return would be a few thousand, potentially more. Since there is little risk to getting caught if you know what you are doing, you could make some decent money by exploiting this chain of trust that exists and is protected by a mere password.

Let’s look at the side of this coin, the normal user.  Adam Baldwin nailed it right on the head when he stated “us humans tend to use the same password over and over”. I know I do, though different level of things have different passwords - my banking account does not use the same username/password combination as my twitter account - neener/neener. It is however shared with some other web 2.0 services. Some other people may not be so diligent. This once again is a chain of trust issue. You are trusting the companies that you give your passwords to are truly them, so once your password is in the wild it’s exposed and all of your accounts are open to attack.

Let’s look at the information an attacker can get from you if they have your twitter password:

User Name - while by itself it’s exposing a little bit about your account and your password - the problem lies in having both bits of this information. That part should be blatantly obvious. The issue lies in the fact that most of us use the same username or “handle” across many sites on the web. Doing a Google search for “Creeva” yields over 46,000 hits. A lot of these hits are different services that I play with and over 90% of the hits link back directly to me in some fashion. Since most sites use you username as your login name, if I used the same password every single one of these services would be exposed if I fell for the twitter phising scam.

E-Mail Address - Yes though it maybe only a small amount these days, your e-mail address is still worth a few percentages of a penny to the spammer. This would get you on more mailing lists, and ones that would be quite hard to get off of. It is also normally used as a login name for service that do not use your handle. More accounts have now been exposed because of this. If your e-mail account passwords is the same as your twitter account (dumb mistake) everything about your online life, accounts, and transactions can now be exposed and utilized against you. Would you notice a gmail filter that someone setup to clone every incoming e-mail?

The other issue is even you do not have accounts that show up in a Google search they could use a service search engine such as Spokeo to find accounts even you may have forgotten about.

Mobile Phone Number - This probably would be one of the most annoying things, that your phone number has been exposed to the internet underground. Phone spam, call back charges; there are a few things they can do with this number. I do think this is small annoyance compared to loosing your email account.

Being a good security professional my recommendation is to use strong passwords that are unique to each service and are rotated regularly. I am also a realist and know that you won’t. This may be the time to start doing segmentation where different accounts do get different levels of passwords. This is what I do so if my twitter account was compromised only the services that I consider on par with Twitter security-wise was at risk. Lower level accounts would be safe and higher level accounts would be safe. I also think with the range of accounts, I could move faster then the phishers going through and knowing what to change faster then they could try all 46,000 sites. It’s a thought - now what are yours?

Originally published at Creeva's World 2.0. You can comment here or there.

Picture from here

Though I don’t think it’s related to the search engine privacy story, Google has just released a web book for free titled Browser Security Handbook.   Some people are relating to this as Google’s answer to the security (and privacy) issues raised by Chrome.  Others belive it’s a way of giving back to the community based on the way Google looks at these concerns and how they address them.

Currently I’m reading through and thought I would share.   You can go to the project page, download test cases, or read it online.   If you have any interest in this field I suggest you at least do one of them.

Originally published at Creeva's World 2.0. You can comment here or there.

Picture from here

Techtree.com in India is reporting that there are privacy concerns with search engines saving your browsing information.   Really?  This was news a few years ago in the US, we know what we are giving them and respect that they will use the information to make their products more marketable.  In turn they will conitnue to give us “free” access to their services, and we should be guarded with what information we give them.   At least the tech and privacy savy user does.

Why I ran across this on Google News this morning I have no idea.   This should be nothing new, yet it makes the news.   Sorry just dealing with a little annoyance in my cereal this morning.

Originally published at Creeva's World 2.0. You can comment here or there.

Benjamin Franklin - They who would give up an essential liberty for temporary security, deserve neither liberty or security

Originally published at Creeva's World 2.0. You can comment here or there.

Douglas Macarthur - There is no security on this earth. Only opportunity.

Originally published at Creeva's World 2.0. You can comment here or there.

Anne Wilson Schaef - Security is an attempt to try to make the universe static so that we feel safe.

Originally published at Creeva's World 2.0. You can comment here or there.

Germaine Greer - Security is when everything is settled. When nothing can happen to you. Security is the denial of life.

Originally published at Creeva's World 2.0. You can comment here or there.

Two weeks ago I wrote that the suspect in that compromised Palin’s Yahoo Mail account was not indicted.   Today Wired is reporting that he has been indicted.  Currently he is facing five years in prison and a $250,000 fine

Read the whole story at Wired News - AP News.

Originally published at Creeva's World 2.0. You can comment here or there.

Picture from here.

Looking at my access logs on the site I noticed a referral from this page.  At the top of the page it stated this:

Blogged without permission to: http://creeva.com/2008/08/08/i-cant-link-to-your-web-site-man-your-retarded/.

Now my first instinct was “What the Hell”, I then checked and verified this came up under a creative commons search and made a screenshot.

Now under creative commons that applicable (Attribution-NonCommercial-NoDerivs) (I searched to see what was allowed to do to the image after this came up) it states:

Under the following conditions:

• Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work).

  Attribute this work:

  <input ... > <input ... > <input ... > </p>
  What does “Attribute this work” mean?

  The page you came from contained embedded licensing metadata, including how the creator wishes to be attributed for re-use. You can use the HTML here to cite the work. Doing so will also include metadata on your page so that others can find the original work as well.

• Noncommercial. You may not use this work for commercial purposes.
• No Derivative Works. You may not alter, transform, or build upon this work.

I did copy (well I linked to the photo on Flickr) and I distributed the work because it was embedded in a blog post.

The conditions:

Attribution - I followed the norm for creative commons licensed Flickr images which is to link to enclosing page where the picture is from.   No other conditions were specified by the creator, so I took the industry norm for such usage.

Noncommercial - Though someday I would like to get paid, my blog is a non-commercial work and I would testify under oath and in court that my blog has never netted a single penny into my bank account, into my pocket, and in any tangible meaningful way.

No derivative work - when speaking of the image I did not alter, transform, or build upon the image in any way.

Using this image like I did I was well within my legal rights.  I left this comment on the page:

You know you stated that this was blogged without permission to my site on the page http://creeva.com/2008/08/08/i-cant-link-to-your-web-site-man-your-retarded/

The problem with this is that you released your photo under creative commons.  For all my posts I only seach for flickr photos licensed via creative commons, just so I can use images legally.

I clearly underneath the photo linked back to this page which is attribution - I didn’t obfuscate, nor did I claim it was my original image.  If anything it was to help drive traffic back to your site since I didn’t want attribution given to me any way shape or form.

Now I don’t mind the fact that you state it’s blogged without permission, but this comes down to the fact that you licensed your photo under creative commons originally, and you don’t seem to understand the rights you’ve given up by this.  I’m not using this commercially, so I am within my right.

Please see this flickr search:

http://flickr.com/search/?q=Kitty+Reindeer&l=cc&ss=0&ct=0&w=all

and you can verify that this image is listed under creative commons use - or see this screenshot http://flickr.com/photos/creeva/2909390861/

Under more in depth searches - you are not allowing commercial use of this photograph, which I am not doing.   You are also not allowing anyone to modify, adapt, or build upon - which I also am not doing.

Also though Flickr allows you to remove a creative commons license legally once something is released under creative commons it’s eternally released and irrevocable.

While my first instinct was to remove this image I’m letting it stand because of the license you chose regardless of your understanding of the license.

If the creator had contacted me in any way shape or form this may have been a different issue and I may changed the image (at least on this site I don’t know if I could catch everywhere I crosspost to).   Now however since I am a firm and hard believed in public domain and creative commons rights for creators, it’s become a matter of principle.  If someone doesn’t understand what creative commons is, they shouldn’t use it otherwise they will loose rights that they thought they had.  I did not publish this in a book and made no commerical profits off htis image.  I followed the license as it was written and intended.   If the creator didn’t understand those rights, well that’s another issue.

Originally published at Creeva's World 2.0. You can comment here or there.

According to Wired.com, the hacker who last week broke into Palin’s e-mail account has left the grand jury without an indictment.   Now the real question I have, how does a crime with such national exposure and high profile as this one go without punishment?

The only logical thing I can come up with is they snagged the wrong kid.  If they don’t have the wrong that doesn’t mean he won’t be indicted (which he should be), it just means more evidence needs to be presented.

I’m not saying the kid attempting this coup is wrong (though it is), the proper thing after suceeding would have been informing Palin.  Unfortunately he decided to post the login information on an online forum.  At that point is when all hell broke loose.

Since I just wrote about DHS pre-crime detector which shows if the the subject is being deceitful or is planning on doing something, I wonder if they are aiming it at this kid as he leaves the courtroom?

No Indictment Against Palin Hacker | Threat Level from Wired.com

Originally published at Creeva's World 2.0. You can comment here or there.

First let’s start with something from Cory Doctorow’s book Little Brother:

If you ever decide to do something as stupid as build an automatic terrorism detector, here’s a math lesson you need to learn first. It’s called “the paradox of the false positive,” and it’s a doozy.

Say you have a new disease, called Super-AIDS. Only one in a million people gets Super-AIDS. You develop a test for Super-AIDS that’s 99 percent accurate. I mean, 99 percent of the time, it gives the correct result — true if the subject is infected, and false if the subject is healthy. You give the test to a million people.

One in a million people have Super-AIDS. One in a hundred people that you test will generate a “false positive” — the test will say he has Super-AIDS even though he doesn’t. That’s what “99 percent accurate” means: one percent wrong.

What’s one percent of one million?

1,000,000/100 = 10,000

One in a million people has Super-AIDS. If you test a million random people, you’ll probably only find one case of real Super-AIDS. But your test won’t identify one person as having Super-AIDS. It will identify 10,000 people as having it.

Your 99 percent accurate test will perform with 99.99 percent inaccuracy.

That’s the paradox of the false positive. When you try to find something really rare, your test’s accuracy has to match the rarity of the thing you’re looking for. If you’re trying to point at a single pixel on your screen, a sharp pencil is a good pointer: the pencil-tip is a lot smaller (more accurate) than the pixels. But a pencil-tip is no good at pointing at a single atom in your screen. For that, you need a pointer — a test — that’s one atom wide or less at the tip.

This is the paradox of the false positive, and here’s how it applies to terrorism:

Terrorists are really rare. In a city of twenty million like New York, there might be one or two terrorists. Maybe ten of them at the outside. 10/20,000,000 = 0.00005 percent. One twenty-thousandth of a percent.

That’s pretty rare all right. Now, say you’ve got some software that can sift through all the bank-records, or toll-pass records, or public transit records, or phone-call records in the city and catch terrorists 99 percent of the time.

In a pool of twenty million people, a 99 percent accurate test will identify two hundred thousand people as being terrorists. But only ten of them are terrorists. To catch ten bad guys, you have to haul in and investigate two hundred thousand innocent people.

Guess what? Terrorism tests aren’t anywhere close to 99 percent accurate. More like 60 percent accurate. Even 40 percent accurate, sometimes.

What this all meant was that the Department of Homeland Security had set itself up to fail badly. They were trying to spot incredibly rare events — a person is a terrorist — with inaccurate systems.

Now that all being said, DHS has actually build a machine that tests for security threats.   Now if this is put into production you get to be watched everywhere you go and wonder about this machine judging your intent and being pulled over for questioning.

If you would like to read more information on this please read the link below.

‘Pre-crime’ detector shows promise - Short Sharp Science - New Scientist

Originally published at Creeva's World 2.0. You can comment here or there.

People in the security world were all pretty sure that users never paid attention to dialog boxes.   Ars Technica printed information about a study performed North Carolina State University that proves that the security professionals were correct.  Most users only want to get rid of the immediate annoyance and don’t read what is happening on their screens.

We already know most people don’t read their end user license agreements - but come on.  How many fake windows dialog banner ads do you need to load and have bad things happen to your computer before you learn.   Unlike other childhood cause and effect lessons, we don’t lear clicking the button is bad like the stove is hot when we get burned.   There is a mantra I’ve always enjoyed, “If Stupidity Can’t Hurt, Then It Should Cost”.   I’m rather happy that most users that click and click and click to punch the monkey or get rid of fake banners hads more then likely spend hundreds of dollars keeping their computer in running order after the spyware has had a field day.   I do feel sorry for their family members that have to fix it for free though……

For More information click the link below (Ars Technica)

Fake popup study sadly confirms most users are idiots

Originally published at Creeva's World 2.0. You can comment here or there.

Picture from here

A couple weeks ago I was talking with a friend about an idea for a new web service.   The web service would have you enter in all the services and sites you use and have an account with online, and then send you a twitter alert when the policy changed and it would show you which text changed.  My problem is while I could come up with the design, function, and architecture I couldn’t figure out any way to monetize such a service.  I let it languish and said I would eventually write a blog article on how to roll you own.   This is that article.

The key feature to making this work (obviously) is a service that can monitor website for changes and give you some sort of data trigger outbound that is usable for repurposing.  I know I could use services that would do an RSS feed, but I wanted something more immediate and trustworthy then RSS for this scenario.  I hunted around and I found the service Change Detection that will send send you an email when a web page has changed.

E-Mail Alerts

With e-mail you have a bit more control.   It’s all easy.  If all you want is an e-mail alert put in the policy page into the page address field.   Then place your e-mail address in the “send alert to:” field.   Easy as cake and your done.

Twitter Alerts

What about getting twitter alerts?  The first thing I’ll point out, I’m not a programmer.  I’m sure there are much better ways to do this in much simpler methods.  I have two requirements for myself.   Keep it free, and it keep it in the cloud.   Make the internet do the work for you, it’s always on and online - your computer doesn’t have to be.  So instead of using an Uber-Twitterbot I’m going to utilize a few free service:

1. Change Detection -Configure the privacy page you want to monitor the same way in section for getting email alerts.  Instead of relying on the emails for notification, change detection allows you to create an RSS feed for each page you are monitoring.

3. Twitter - Setup a new twitter account that you can friend.  If you worried about privacy (people knowing which sites you are watching), set the updates to be protected so only “friends” can see them.   Have the alert twitter account friend you, log out and friend the account back with your main twitter account.

4. Twitterfeed -Take the feed from change detection, pipe it through twitterfeed so it will put update notifications to your “alert account”.   Now whenever anything has changed you can watch updates from that account and you’ll have almost real time monitoring of any web page.

Originally published at Creeva's World 2.0. You can comment here or there.

Picture from here.

We’ve all read the articles flying around online over the last couple months about your data being confiscated at the border and analyzed by the border patrol.  The simplest solution of course is sending your data across the internet if you have to go through a border crossing and your worried about your data being compromised (cloud computing FTW).  The next best solution is using True Crypt and using a real encrypted volume and a hidden volume.   You risk having to disclose your encryption keys to unlock our visible volume, and with hidden encrypted partitions becoming a common theory, they may be on to you.

So what about hiding data in plain site?

Got a text document you need to hide - find a software that can take all the words in the document - produce a random word file and mixes up the words but all the words are still legible with alot of chaff words included.   If it’s named something like dictionary output 1.txt,  dictionary output 2.txt, etc. etc.   Make sure you carry a copy that can undo this in your webmail account where you can get at this and make the files usable after the fact.

Images?   Those kinky pictures that you felt you had to take with you and you couldn’t bear to mail to yourself in an encrypted fashion?   Well that’s a bit easier.   They are looking for image files on our drive (extensions don’t matter so don’t think you can get by using hte method of renaming your .jpg to .gpj’s).   You can however convert your files into photoshop or gimp formats and use layers.   Take your illicit pictures and put them as a bottom layer in your new image file.   Then on top of that add some other images as other layers.   When they open up the files in gimp, they are unlikely to go through all the layers looking for pornaography.   Bonus points if you use stenography and, hide that data in a picture - then using layers to obfuscate the data further.

These were just some ideas off the top of my head, I’m not leaving the country any time soon.  If I was, I would be transmitting all of my data encrypted across the internet.   If trusting the network is too much for you, your welcome to try these methods.  Your mileage may vary.

Originally published at Creeva's World 2.0. You can comment here or there.

Picture from here

First of all this is just a thought on where things are headed.   As far as I know for the moment none of the loyalty cards I use have an RFID chip embedded in them.  I did sit and imagine what the stores could do with this information.   Currently the stores do take your loyalty card information and track what you purchase, give you targetted coupons, and create specials in towns to raise sales on certain objects within those towns.   We all like these cards, we all like to save a buck.   There are whole websites devoted to getting the most out of your income using loyalty cards.   What about when they take it to the next level. 

Currently companies (such as walmart) have been deploying RFID chips into their items to control shrinkage, allow better inventory control, and reduce stocking fees.   In the future I’m sure that there will be RFID sensors in every store shelf to allow quick notice when something needs to be restocked.   Only 2 canned peaches left onthe shelf, send out a stock boy to aisle 4.   Doritos are being sold at a rate of 6 per 15 minute interval - under current conditions they will need restocking in 38 minutes.   This kind of technology is possible and when the price drops it will become pratical. 

So a store as RFID trackers through out their whole store how else could they leverage these to increase profit margins?  Why tracking the customers of course.   By knowing what you don’t pick up, but you stop and consider, this could be invaluable.   Do you always stop and look at the same item and pass it up?  Do you buy it 10% of the time?  What price point do you commit to the item versus passing it up.   Currently they map optimum routes through the store and place sale items accordingly.   What if certain shoppers take non-optimum routes?  What items can we target to them?   What if this is you?   How much money are you willing to save by giving up the ability for corporations to intimately track you. 

This is just something I was thinking about and thought I would share.

Originally published at Creeva's World 2.0. You can comment here or there.

It’s been a long time since I’ve beeen excited about a new browser.  Theoretically I’ve never been excited about a new browser that was announced.   I remember being excited when AOL resurrected Netscape - but that turned into a flaming pile of poo and Netscape lost dominance being THE browser to use.   Like many users at that time frame I used Internet Explorer 5 and at the time it was best of breed, then a new challenger arose.

The Mozilla foundation announced they were taking the open source bits of the Netscape browser and making a new slimmer browser called Firebird.  Because of issues of legal and copyright, Firebird was renamed to Firefox.   I’ve been using this browser since Firebird and I have had no reason to move to a different primary browser.   I’ve tried Flock and Safari, there hasn’t been a sticky reason to keep using those over Firefox.   I was excited, kind of, of the release of Firefox version 3.   But that wasn’t a new and different browser, it was more of the same.

With last nights announcement of Google’s New Chrome Browser, but they put up a nice little web comic that explains the features it offers.   The security, privacy, performance enhancements alone make this a must watch for browser.  WHen it is actually released later today, we’ll see how I feel then.

UPDATE:

Found a site that has some Chrome screenshots you may enjoy.