Security

Hushmail not very… Hushy?

“The amount of data which Hushmail was required to turn over to the US DEA relating to 3 email addresses.  3 + 9 = 12 CDs  What kind of and for what length of time does Hushmail store logs?”

(Via Cryptome.) 

More privacy violations at Facebook

Valleywag: “My friend got a call from her friend at Facebook, asking why she kept looking at his profile,” says a privacy-conscious source at a major tech company. Turns out Facebook employees can (and do) check out anyone’s profile. Not only that, but they also see which profiles a user has viewed — a major privacy violation. If you’ve been obsessed with a workmate or classmate, Facebook employees know. If Barack Obama’s intern has been using the campaign account to troll for hotties, Facebook employees know. Within the company, it’s considered a job perk, and employees check this data for fun.

Damien recently said “hah” on my “Wall” on Facebook. He didn’t see fit to reply when I asked what he meant – although it’s possible it has the same retarded design as Bebo’s – but at a guess I’d say he was poking fun at the fact that I’m actually on Facebook, given my larting of it in several locations. In actual fact I’ve been a member since it opened, just like I’m a member of Bebo, MySpace, and most other “Web 2.0” sites. I’m an Internet consultant, it’s my job to keep an eye on these things; plus, when your biggest clients add you to their networks, it’s generally not a good idea to tell them to fuck off.

It doesn’t stop me hating them, and their disdain for privacy. I’ve read several posts recently saying that Facebook is going to become the de facto social networking site across the board, not just for the social networking addicts, but for professionals too. And they may be right, and Facebook certainly seems to be trying to accomodate them; but that doesn’t mean that they have the best platform, or more importantly, the best practices and policies. It means they have the most sheep.

I don’t want to be a member of Facebook. I’ll stay a member because it may be good for business in the long run, but I won’t visit it unless I have to. I’d much prefer to spend my time – and money, if necessary – on something like LinkedIn. It has problems too, but it’s just better put together and better thought out. That’s where business people should be, not bleating at each other like idiots and getting nothing done on Facebook.

Google’s Dictionary

I think Google must have a special dictionary that constantly redefines the word “evil” to suit their own ends. The words “privacy” and “competition” would seem to morph about quite a bit too.

In response to a letter the German data protection commissioner wrote to the European competition commissioner, coming out against the Google-Doubleclick deal, Google responded:

“We believe that this acquisition will increase competition and benefit both consumers and advertisers”.

Perhaps if they’d put the statement the other way around it would have been more believable. Of course it will benefit advertisers, since they’ll be in a much better position to target users as a result of the merge of company data. And it will benefit users on one level, in that those ads will be more relevant to them.

What about privacy though? Damien contends that the new kids on the block don’t care about privacy, and he’s probably right, but there’s plenty of us remaining that aren’t kids. And to be perfectly frank, many of us think those partiular kids are thick-as-shit reality TV vegetables, and their own worst enemies anyway.

To add insult to injury Google and DoubleClick add that “DoubleClick does not own, and has limitations on its use of, the data it processes for its publisher and advertiser clients”, which of course ignores the fact that DoubleClick does control the data. And the limitations.

But it’s the “increase competition” line that gets me. How exactly will a merger of two of the biggest advertising firms on the planet increase competition? Answer: it won’t. That would be a lie.

Little tip for you Google: Lying Is Bad. Some might call it “evil”.

Free Dinner

Bruce Schneier highlights a “synchronization attack” on drive-through restaurants. Is this France’s way of retaliating against America for fast food?

There’ll be a few extra Glanzas in Dinos in Blackpool tonight.

vBulletin Attacks

Any other vBulletin admins notice attacks recently?

Foot.ie was attacked in a big way this morning, with bots attempting automated logins on dozens of accounts. Foot.ie locks down accounts after 5 failed login attempts and emails the account holder, and I receive bounce messages if the email addresses in their profiles are incorrect. I received over a hundred of these in the space of about half an hour this morning, on multiple usernames from multiple IP addresses. These are just the ones that bounced, remember.

“Hey, check this out!”

Bruce Schneier notes a recent study on phishing that found that over 70% of people will click on a link if it looks like it’s coming from someone they know, and jokes about men being suckers for the ladies, what with them being 15% more likely to click if the email comes from the fairer sex. (Although I should also note that, in general, women were 10% more likely to click than men. :)

I think an interesting addition to this research would be an analysis of how the baton is passed between people, and how often it does laps. In this research the names and email addresses probably came from a control set, however in reality phishers get them from address books stolen by a trojans on compromised computers.

Obviously the stolen address book must come from a common contact if both names are in it, but the ruse will be much more successful if the source or target is the owner of the address book, and the opposite number someone in it. And around we go. So what we have here is actually a Six Degrees Of Separation Möbius Strip Of Stupidity.

Another study Bruce notes only serves to highlight the naïveté of modern man. Although the response rate isn’t enumerated, a professor at Indiana University has found that people are willing to respond to fraudlent emails if the attacker identifies the first four digits of their credit card number, instead of the usual last four.

You all know why they use the last four, right? If you don’t and the first four digits of your card are 4539, this is Mmbaza from Bank of Ireland and I’d like to talk to you about a trust account in the name of Mrs. Charles J. Haughey and a transaction which will fall in your favour to the tune of 10% of Thirty Million Euros.

Security Public Relations Excuse Bingo

Via Bruce, who features himself. :)

I’m going to be naughty and paste all the items, otherwise you’d be there all day hitting refresh.

  • You’re so negative
  • Our proactive technology solutions prevent that
  • Our proprietary encryption algorithms prevent that
  • We have CISSP certified engineers
  • That’s just theoretical mumbo-jumbo
  • You’ll be hearing from our lawyers
  • You’ve got a conflict of interest
  • That’s only there for backward compatibility
  • We meet all government standards
  • We meet all industry standards
  • It doesn’t need to be very secure
  • Nothing is 100% secure
  • We take security very seriously
  • We don’t comment on security matters
  • No comment
  • You are in violation of the DMCA
  • We already knew about it
  • Nobody will ever try to do this
  • What kind of a person looks for flaws?
  • No one would ever think of that
  • Our success speaks for itself
  • You’re paranoid
  • You’re just an academic
  • You’re only helping the bad guys
  • Why do you hate America?
  • You don’t understand the context
  • The product was tested by security experts
  • We employ top security experts
  • Who are you to criticize, anyway?
  • This is probably fixed in the next release
  • No one has complained before
  • No one has ever found any problems
  • It’s a feature our users want
  • Let’s see you design something better
  • You’re just looking for attention
  • You must be being paid by our competition
  • We’ve always done it this way
  • Everybody does it this way
  • We follow industry standard practices
  • We think it is secure enough
  • You’re being irresponsible
  • If you hadn’t told anyone, it would still be secure
  • La, la, la we’re not listening
  • It’s secure enough for our customers
  • We use crypto- graphy
  • We read Schneier’s book
  • What do you have against us?
  • Why are you trying to harm our industry?
  • It would be too expensive to fix that
  • Our customers love our product
  • We’re fully ISO-9001 compliant
  • Nobody’s perfect

Spot the Undercover Reporter

Wired: DefCon staff lured her to a large hall telling her that the Spot the Fed contest was in session and that she could get a picture of an undercover federal agent at the contest. When she sat down, Jeff Moss, DefCon’s founder, announced that they were changing the game. Instead of Spot the Fed, they were going to play Spot the Undercover Reporter and then announced, “And there’s one in here right now.” Madigan, realizing she’d been had, jumped from her seat and bolted out the door with reporters carrying cameras chasing after her through the parking lot and to her car.