July 2007 Entry 6
Silliness aside, the New York Times reported yesterday that a team of security researcher at Independent Security Evaluators (ISE) has uncovered an exploit on the iPhone. It is done through the Safari browser. The same flaw exists in the Mac and Windows versions of Safari, but no tests have been done to see if the exploit will work on those platforms. Details of the vulnerability have been turned over to Apple, so the ball is in their park, now.
Apple's stock actually dropped a bit at this news, which is a really silly reaction. The iPhone is basically a hand held computer. More so than many other phones. Vulnerabilities are going to happen, and will have to be dealt with. Are you going to get rid of your iPhone because of this? I think Aviel D. Rubin, founder of ISE, said it best: "You'd have to pry it out of my cold, dead hands to get it away from me."
Update: Originally I didn't mention the severity of this vulnerability. I didn't do it intentionally, but that was information I should have included. There are no exploits for it in the wild yet, but if any appear before it is patched, you can lose control of your iPhone. Completely. A person who takes advantage of this vulnerability can do anything they want with your phone. So this is potentially very serious. If you have an iPhone, keep up with your Apple provided updates. Since they don't have to worry about 3rd party apps and drivers, they should be able to get a patch out pretty quick.
ISE's page on the iPhone vulnerability
Securely Private
This is an archive of my first blog from 2007-2008. It was hosted at the Lubbock Avalanche-Journal, but is no longer available there. The only dates I have are the month and year, but I'm including that much for reference. I'm putting the comments in, too, but they'll all look like me talking to myself. ;^)
Saturday, June 18, 2011
Google knows you.
July 2007 Entry 5
This last week has seen the internet search industry making major changes in the way user data (not just search data) is handled. Or claiming to, anyway. Excuse me if I'm skeptical. Google started it all with the insignificant change from keeping data on searchers (via cookie) forever to keeping it a mere 18 months. Sure, it looks good on the surface, but why does a search company need to know I searched for "natural balding cure" 18 months from now? Well, I didn't actually search for that, but what I search for isn't anybodies business but mine - and my wifes, if she cares to know. All of this information is supposedly anonymous, but the accidental release of about 20 million searches by AOL last year has taught us that, given enough search data (how many searches do you do in 18 months?) it is possible, maybe even trivial, to identify the searcher. Here are a couple of stories about that:
Hello Searcher 4417749
and
FAQ: AOL's Search Gaffe
And for more encouraging news:
Go Ask.com!!!
I may try refusing Google cookies, but I'll probably start using Ask.com. I'll always go with the company that gives me the most control over data about me...
This last week has seen the internet search industry making major changes in the way user data (not just search data) is handled. Or claiming to, anyway. Excuse me if I'm skeptical. Google started it all with the insignificant change from keeping data on searchers (via cookie) forever to keeping it a mere 18 months. Sure, it looks good on the surface, but why does a search company need to know I searched for "natural balding cure" 18 months from now? Well, I didn't actually search for that, but what I search for isn't anybodies business but mine - and my wifes, if she cares to know. All of this information is supposedly anonymous, but the accidental release of about 20 million searches by AOL last year has taught us that, given enough search data (how many searches do you do in 18 months?) it is possible, maybe even trivial, to identify the searcher. Here are a couple of stories about that:
Hello Searcher 4417749
and
FAQ: AOL's Search Gaffe
And for more encouraging news:
Go Ask.com!!!
I may try refusing Google cookies, but I'll probably start using Ask.com. I'll always go with the company that gives me the most control over data about me...
snail mail = email? According to the 6th Circuit Court of Appeals...Yes.
July 2007 Entry 4
On June 18th the United States Court of Appeals for the Sixth Circuit upheld a decision by the United States District Court for the Southern District of Ohio at Cincinnati. If you like reading legal decisions, here is a pdf. This decision is important because it overturns 20 year old government practices regarding email. To someone interested in such things, it's an interesting read. But since most of us aren't fascinated by legalese, here is the short version:
Until June 18th of this year the government was able to demand your archived emails from your ISP without telling you until after the emails had already been turned over. After June 18th email is accorded the same protections as phone calls and 'snail mail' based on the concept of "reasonable expectation of privacy." Reasonable expectation of privacy means that a normal person would expect their email to be read only by the people they sent it to. So personal email has "reasonable expectation of privacy," but in many cases work email doesn't. In fact, if you access your personal email at work you may lose the right consider it private. That is because many companies have policies stating that they may (or will) monitor all outgoing communications. If your employer is one of those companies, any email you send from there, even if it is your personal account, is assumed to be read by the company, making it public information. But as long as you keep your personal email at home, the feds can still demand and monitor, but now they have to either subpoena them, or get a search warrant to do it. Very good, if they obey.
I say "if they obey" because the Steven Warshak suit was brought because the government failed to follow the requirements of the law they used to gain access the email of Steven Warshak. They sought and were granted an order to obtain Mr. Warshaks records, including email, from his ISP. They requested a 90 day "delay of notification" as allowed by statute. It was a sealed order, so no one would see it until it was unsealed. One year later, a day after the judge unsealed the order a notification was sent to Steven Warshak. Though they had the right to request extensions on the 90 day "delay of notification" they never did. If the feds aren't going to obey a 20+ year old law, why will they change their habits just because they've been told their interpretation of the law is wrong?
These are the reasons we have to be on our toes and be vocal about our rights. Once a right falls, it is almost impossible to restore. Once a freedom is lost, it may take revolution to get it back. And government agencies by their nature, abhor freedom and privacy. The more freedom and privacy citizens have, the less power and control the government has. Our forefathers did a good job of balancing the two, but they could not have foreseen the incredible technologies we have, and the ways that privacies and freedoms can be infringed and outright stolen - without our even knowing we've been harmed until long after the fact. It's our job and duty to look out for our rights, because, trite as it sounds, no one else will.
On June 18th the United States Court of Appeals for the Sixth Circuit upheld a decision by the United States District Court for the Southern District of Ohio at Cincinnati. If you like reading legal decisions, here is a pdf. This decision is important because it overturns 20 year old government practices regarding email. To someone interested in such things, it's an interesting read. But since most of us aren't fascinated by legalese, here is the short version:
Until June 18th of this year the government was able to demand your archived emails from your ISP without telling you until after the emails had already been turned over. After June 18th email is accorded the same protections as phone calls and 'snail mail' based on the concept of "reasonable expectation of privacy." Reasonable expectation of privacy means that a normal person would expect their email to be read only by the people they sent it to. So personal email has "reasonable expectation of privacy," but in many cases work email doesn't. In fact, if you access your personal email at work you may lose the right consider it private. That is because many companies have policies stating that they may (or will) monitor all outgoing communications. If your employer is one of those companies, any email you send from there, even if it is your personal account, is assumed to be read by the company, making it public information. But as long as you keep your personal email at home, the feds can still demand and monitor, but now they have to either subpoena them, or get a search warrant to do it. Very good, if they obey.
I say "if they obey" because the Steven Warshak suit was brought because the government failed to follow the requirements of the law they used to gain access the email of Steven Warshak. They sought and were granted an order to obtain Mr. Warshaks records, including email, from his ISP. They requested a 90 day "delay of notification" as allowed by statute. It was a sealed order, so no one would see it until it was unsealed. One year later, a day after the judge unsealed the order a notification was sent to Steven Warshak. Though they had the right to request extensions on the 90 day "delay of notification" they never did. If the feds aren't going to obey a 20+ year old law, why will they change their habits just because they've been told their interpretation of the law is wrong?
These are the reasons we have to be on our toes and be vocal about our rights. Once a right falls, it is almost impossible to restore. Once a freedom is lost, it may take revolution to get it back. And government agencies by their nature, abhor freedom and privacy. The more freedom and privacy citizens have, the less power and control the government has. Our forefathers did a good job of balancing the two, but they could not have foreseen the incredible technologies we have, and the ways that privacies and freedoms can be infringed and outright stolen - without our even knowing we've been harmed until long after the fact. It's our job and duty to look out for our rights, because, trite as it sounds, no one else will.
Friday, June 17, 2011
A worm in the Apple?
July 2007 Entry 3
A security researcher claims to have written an OS X worm.
He doesn't give many details, other than to say the worm uses an exploit that will give remote root access. I hate to say it, but despite the verbal violence directed at him by some of the more fanatical Apple faithful, there' no reason not to believe him. There is certainly no reason to threaten and demean him. I love Mac's, and I'll probably run them until I can't find one to run anymore. But Steve Jobs is not God, and Mac's are not invulnerable. Mac users have lead blessed lives, malware wise, and may continue to for a while. But the day will come when an exploit of major virulence will hit the Mac platform, and we'd better be ready. Run Anti-Virus software. Run a firewall. The one built into OS X will work, but the firewall in a NAT router will be better. Have a "normal user" login that you use for everything except installing software. We'll go into more detail on securing your computer soon
While we're preparing our Mac' against the coming storm we'd better put pressure on Apple to pay more attention to security researchers and be less highhanded. Apple does not want to be caught flat-footed when the first big Mac malware hits. Living up to the hype they've generated is impossible in the long term, so it's time to show that when it comes to security, Apple is ready to listen and learn.
A security researcher claims to have written an OS X worm.
He doesn't give many details, other than to say the worm uses an exploit that will give remote root access. I hate to say it, but despite the verbal violence directed at him by some of the more fanatical Apple faithful, there' no reason not to believe him. There is certainly no reason to threaten and demean him. I love Mac's, and I'll probably run them until I can't find one to run anymore. But Steve Jobs is not God, and Mac's are not invulnerable. Mac users have lead blessed lives, malware wise, and may continue to for a while. But the day will come when an exploit of major virulence will hit the Mac platform, and we'd better be ready. Run Anti-Virus software. Run a firewall. The one built into OS X will work, but the firewall in a NAT router will be better. Have a "normal user" login that you use for everything except installing software. We'll go into more detail on securing your computer soon
While we're preparing our Mac' against the coming storm we'd better put pressure on Apple to pay more attention to security researchers and be less highhanded. Apple does not want to be caught flat-footed when the first big Mac malware hits. Living up to the hype they've generated is impossible in the long term, so it's time to show that when it comes to security, Apple is ready to listen and learn.
Here's looking at you (you asked for it!)
July 2007 Entry 2
The first lesson for online privacy: If you want to keep a secret from someone, don't put it on a public website. Students at Oxford are the most recent people to learn that once you put something online it is, for the most part, visible to the world. According to Telegraph.co.uk, students are complaining because pictures on their Faceboook pages are being used to show they took part in "anti-social behavior" when celebrating the end of exams. For all the details, here is the link:
[url=http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/07/18/noxford118.xml new=true]Oxford Faces on Facebook[/url]
The simple truth is, Facebook, Myspace, etc are not private, and are not intended to be. If you don't want your college dean or university president to know how, when, and maybe why you are doing something they think you shouldn't, don't put it on any webpage, but especially not on any type of networking site - you know, networking, the practice of exposing your credentials to as many people as possible so they may someday be able to help you out, and you may be able to help them out. I have to wonder, what credentials did those students think they were putting up when they posted the damaging pictures?
Don't get me wrong. I do think Oxford stepped out of bounds, and took things out of context, but it has been made amply clear in recent years that you can't take back what you post on the internet. And you can't control who will get to see it. So if you insist on posting pictures of your wild parties on Facebook, expect your face to get noticed by someone you don't want noticing it.
Moral of the story? If you wouldn't want your parents to know about it, don't put it on line. They might not see it, but someone else will, and will show it to your parents. Or your university.
The first lesson for online privacy: If you want to keep a secret from someone, don't put it on a public website. Students at Oxford are the most recent people to learn that once you put something online it is, for the most part, visible to the world. According to Telegraph.co.uk, students are complaining because pictures on their Faceboook pages are being used to show they took part in "anti-social behavior" when celebrating the end of exams. For all the details, here is the link:
[url=http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/07/18/noxford118.xml new=true]Oxford Faces on Facebook[/url]
The simple truth is, Facebook, Myspace, etc are not private, and are not intended to be. If you don't want your college dean or university president to know how, when, and maybe why you are doing something they think you shouldn't, don't put it on any webpage, but especially not on any type of networking site - you know, networking, the practice of exposing your credentials to as many people as possible so they may someday be able to help you out, and you may be able to help them out. I have to wonder, what credentials did those students think they were putting up when they posted the damaging pictures?
Don't get me wrong. I do think Oxford stepped out of bounds, and took things out of context, but it has been made amply clear in recent years that you can't take back what you post on the internet. And you can't control who will get to see it. So if you insist on posting pictures of your wild parties on Facebook, expect your face to get noticed by someone you don't want noticing it.
Moral of the story? If you wouldn't want your parents to know about it, don't put it on line. They might not see it, but someone else will, and will show it to your parents. Or your university.
Intro
July 2007 Entry 1
I've been using personal computers for almost 30 years, and Ive been online in one form or another since the mid-80's. I've been very active in email lists and support groups, but this is the first time I've written a regularly updated blog. I read somewhere that it takes about 5 or so posts for a blogger to find his voice, so bear with me for a week or so. By that time I'll have sorted out the tons of information available and narrowed my focus for this blog enough to be a solid source of information on privacy and information security for both the home and the small business.
On a daily basis I will be watching security holes being found in various operating systems and softwares and looking at any data breaches and how they may effect you. About once a week I will examine a security or privacy topic and how you can protect yourself.
Among the topics I will cover are PGP/GPG, Phishing, 'Virus, Worms, and Trojans', data-mining, and Microsofts new search profiling technology, to name a few. I hope you find it all interesting and informative.
I've been using personal computers for almost 30 years, and Ive been online in one form or another since the mid-80's. I've been very active in email lists and support groups, but this is the first time I've written a regularly updated blog. I read somewhere that it takes about 5 or so posts for a blogger to find his voice, so bear with me for a week or so. By that time I'll have sorted out the tons of information available and narrowed my focus for this blog enough to be a solid source of information on privacy and information security for both the home and the small business.
On a daily basis I will be watching security holes being found in various operating systems and softwares and looking at any data breaches and how they may effect you. About once a week I will examine a security or privacy topic and how you can protect yourself.
Among the topics I will cover are PGP/GPG, Phishing, 'Virus, Worms, and Trojans', data-mining, and Microsofts new search profiling technology, to name a few. I hope you find it all interesting and informative.
Subscribe to:
Posts (Atom)