Archive for September, 2008

Sep 17 2008

DHS can’t handle cybersecurity?

Published by under Government

It looks like the Department of Homeland Security is under fire for their general lack of ability, infighting and lack of progress in securing the federal government.  A recent report from a task force responsible for reviewing the DHS gives them a failing grade and says they need to lose their authority over cybersecurity.

As much as I wish I could say this surprised me, I haven’t heard or read even a single article in the few years that would contest these findings.  In fact, almost every article I’ve read supports the idea of finding a new way of promoting cybersecurity at the Federal level.  And I can honestly say that I don’t blame the folks at DHS, since they were handed a nearly impossible job with little or no authority to actually effect change. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 16 2008

Security Roundtable, September 13, 2008

Published by under Podcast

Michael Santarcangelo and I are trying something new with the Security Roundtable; we’ll be recording every other week at 7:00 am Pacific on Saturday morning.  This probably seems like an ungodly hour to some, but I really am up that early anyway.  Just like the Network Security Podcast, we’ll be streaming the audio live at http://hak5radio.com:8000/srt.mp3.m3u.   We also have an IRC channel setup so you can ask questions while we’re recording.

We sent out a tweet Friday night before the podcast in search of someone to join us on the podcast and it was answered by Marc Massar, Principal Solutions Architect at Venafi.  Well, it was actually Venifi’s PR person answered the tweet, but we’re perfectly willing to talk to PR folks as long as it doesn’t turn into a sales pitch.  And it turned out that Marc was a lot of fun to talk to.  He must have gotten enough coffee before we started that morning.

We’re working hard on redesigning the flow of the Security Roundtable to make it easier to record, more engaging for the listener and be able to produce it more often.  We’ll be inviting more people on, but have less people on at any one time.  The five-person at a time roundtable was a lot of fun and interesting, but a nightmare to try to coordinate.  By having a set time we record we’ll be forced to run with the show whether a guest show up or not.  And we really want to make the listeners a bigger part of the show (IRC:  ##SRT on irc.freenode.net).  This week was an experiment, but we hope to make a number of additional changes and will be working on improving the SRT weekly.  Let us know what you think and what you’d like to see from future podcasts.

The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  Have coffee, will podcast.

Security Roundtable for September 13th, 2008

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 16 2008

Network Security Podcast, Episode 120

Published by under Podcast

Tonight was our first attempt at recording the Network Security Podcast while also streaming it live to the world.  As you might have guessed, there were a few minor glitches, but over all things worked out.  We plan on streaming most, if not all, of the podcasts from now on, though we don’t think there is any way we can get ourselves coordinated enough to actually record the show at the same time every week.  After all, there has to be some randomness to the NSP experience, otherwise it wouldn’t be the NSP.  The URL for the streaming audio is http://hak5radio.com:8000/netsecpodcast.mp3.m3u and we’ll try to tweet and post a note at least a couple of hours before the recording in the future.

We were joined tonight by Justin Searle, Kevin Johnson and Jay Beale from Intelguardians.  As well as discussing the news stories of the week, the guys were here to tell us about a new LiveCD they’ve developed, Samurai.  They saw a hole in the security LiveCD arena and created a Web Testing Framework LiveCD for beginners to learn on and experienced pen testers to use in the real world.  Fun stuff, which is why tonight’s podcast went a little long.

Network Security Podcast, Episode 120 for September 16, 2008
Time:  43:57

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 16 2008

“You can’t get the toothpaste back in the tube, so deal.”

Published by under Privacy

“You can’t get the toothpaste back in the tube, so deal.”

That was the final line in a comment by reader John Maloney concerning yesterday’s post “Social Networks will be the downfall of civilization!”  And it’s also part of the point I was trying to make yesterday:  too many people don’t realize that once they put information about themselves on a social networking site, it’s public and there’s almost no way to get it back.  Once you’ve posted your personal information and pictures to the Internet, they’re out there and the more effort you put into getting them back, the more likely they are to spread.

As a blogger and podcaster as well as a dabbler in other social media, I’m constantly struggling with the balance of disclosure versus keeping my life private.  I don’t talk about it much, but if you take a look in the archives of the site, you can find who my last few employers have been, you can find out a bit about my family and where I live.  You can find my hobbies and interests outside of security.  Search hard enough and you might even find a couple pictures of the neighborhood I live in and my family.  But the point is, I considered what information I was releasing into the wild each time I posted them and made a conscious decision concerning the information and the possible impact it’s release could have on me.  And that’s my problem with social networking today:  too many people fail to understand the consequenses of publishing their most intimate details.

Just like the rest of security, people don’t give much thought to the consequences of information disclosure, they automatically think that only the people who they want to have access to their information are going to see it.  Or they don’t believe anyone outside their circle of friends would ever want to see their information.  Or they never even give it any thought at all and post without any understanding of the possible consequences at all.  This is a matter of education and quite frankly most people never have an opportunity to get educated or educate themselves and probably wouldn’t take it if it was offered.

Social networks espouse the benefits of their services.  After all they want to encourage their audience to use the service and who can blame them?  But I think few, if any, make much of an effort to explain to their users the danger that the information users are disclosing may pose.. How many social networking sites try to make users understand that the pictures, posts, comments and chats they post online have the potential to be seen by employers, friends and spouses, let alone the consequences that disclosure could have?  I don’t remember seeing anything to that effect on any of the social networking sites I’ve signed up for.  If you know of some, please tell me in the comments. 

Privacy may not even be the proper term for this discussion.  Privacy has more to do with other people trying to find out information you’ve kept hidden or information others are supposed to be keeping safe for you.  Privacy is about your sensitive information not being probed by the Feds without a warrant and keeping your medical records safely at the doctors office, not on a USB stick or in Google docs or some other cloud technology.  I believe the more appropriate term would be disclosure, since every piece of information on social networks is something that the user has made a conscious decision to put there, whether they understand the consequences or not.  And usually the understanding is not there.

As far as I’m concerned, this discussion has little or nothing to do with privacy and everything to do with disclosure.  Privacy is not dead and hopefully never will be.  But people have to understand the difference between the two concepts.  You can’t consider something you’ve willingly place online to be private anymore.  I can understand that misconception five years ago when the social media revolution was starting, but in today’s environment, with all the writing and discussion around social networking, it’s almost willfully ignorant to not consider the consequences of posting something to YouTube, MySpace or Facebook. 

So, no, you can’t get the toothpaste back in the tube.  Which is why we need to educate people about the difference between ‘privacy’ and ‘disclosure’.  People, young and old, need to understand what the consequences of using social networking sites.  They, the users, are the one’s who are taking their information out of the realm of ‘privacy’ and into the realm of ‘disclosure’.  It’s up to the user to understand the difference.

We can have privacy and social networking, it just takes constant vigilance and some understanding of the difference between privacy and disclosure.  Well, we can have privacy if you discount little things like warrantless wire-tapping, telephone company immunity, the FISA courts and governmental trends to intrude anywhere they think a ‘terrorist’ might be.  But that’s a different, much more contentious discussion.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

Sep 15 2008

Social Networks will be the downfall of civilization!

Published by under Privacy

Hyperbole aside, social networks are causing a change in our society.  The very concept of ‘privacy’ has undergone more mutation in the last five years than it has the last 50 years combined.  What my generation took for granted and are stressing about is apparently something young adults in college take for granted, even if they don’t understand the repercussions of the change.  And as always, change isn’t necessarily good or bad, it’s just something that is.

While waiting for a plane flight home last Friday evening, I picked up a copy of this month’s Scientific American.  This was a special issue, titled “Will Technology Kill Privacy?”  To me, this is one of those topics that if you’re not concerned/scared, then you’re not paying attention.  I can honestly say that every article in the magazine was worth taking the time to at least skim to get the gist of the topic and at least half of the articles were worth taking the time to read beginning to end.  But the one article that I read that really caught my attention was “The End of Privacy?” by Daniel Solove.  It highlights how easily information flows into and out of social networks and how little concern many younger people place on this flow.  It also talks about how little most users of MySpace, Facebook and other social networks understand this.

Then over the weekend I read a Computerworld review of a CareerBuilder survey concerning employers and social networks which basically points out that employers are paying more attention than ever to what potential employees post to social networks.  What surprises me is not that employers are researching potential employees social networks, but that the number isn’t higher than 22%; if I was an employer, I’d not only be looking at the social networks of potential employees, I’d be seriously considering making a corporate policy to do an annual review of current employee’s social networks.  While this seems a little strange coming from someone who considers themselves a privacy advocate, I also believe that once you’ve posted information to a social network, you no longer consider it private so neither should I.  I do have a couple questions about the CareerBuilder survey, like what industries were included in the survey and how much of a difference that makes?

Careerbuilder has some good suggestions for potential job seekers, which basically boil down to “don’t put anything on your social network you don’t want a potential employer to see”.  It’s amazing how few people actually realize that what they put on their Facebook page can be seen by anyone in the world and what the repurcussions can be.  Not only can putting the wrong picture on your page prevent you from getting you a job, it can lose you a job you already have; over the last few years there have been multiple cases of people losing their job because they posted inappropriate pictures or commented on the great party they went to when they’d called in sick for their shift that day.  Again, if you’re posting something on Facebook for the world to see, don’t be surprised if your boss considers himself part of ‘the world’.  I’ve always wondered if any of my managers take the time to read my blog, listen to the podcast or follow my twitter stream.  Which is why I’m more than a little careful with what I say and write, though if you know me, what I say face to face isn’t all that much different from what I tweet and write.

The final social network story that caught my attention was about researchers who see social networks as the next big attack vector for malicious code.  I’ve been more concerned about the problems with social network code since I saw the “Satan is on my Friends List” presentation at Defcon; it’s a bit of a wakeup call when you go to a talk at Defcon and see your own picture as part of the presentation (Nathan and Shawn had done impersonated some folks in Twitter, and I’m one of the people who fell for it).  It’s becoming very clear that as hard as they might try to make it safe, the fact that social networking sites are allowing end users to post code to the site is a huge security hole.  No matter how hard they try to sanitize the code and make it safe, it’s a difficult balancing act between letting the users do what they want and preventing them from doing bad things to other users.  This is one of the reasons you’ll never find me clicking on a link to a MySpace page and rarely checking my own Facebook account, let alone looking at someone elses. 

Social networks aren’t bad, at least not any more than any technology on the Internet.  But they do have the potential to be misused and abused, just like nearly every other technology ever created.  The problem is that we’ve undergone such a quick adoption rate that very few people have paused to understand the repercussions of sharing information that used to only be available to a few of their friends and family.  Few people understand that the pictures and anecdotes you’re sharing with your friends across the country are also potentially being shared with millions of people around the globe. 

I’m not going to argue against using social networks; I use Twitter extensively, I blog, I podcast, and I use other social media a fair amount.  What I will argue is that most people need to put more thought into what they’re posting on the Internet.  If you’re posting something to the Internet, take a moment to think about this question:  Would you be embarrassed if your mother/father/significant other found it by accident?  If the answer is yes, then make sure you’ve made the information private.  Or better yet, don’t post it at all; a number of social networking sites have accidentally disclosed information that the users have marked private over the years.  It’d be a shame to lose your dream job because that picture of you at a friends party holding a bong suddenly came to light.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

Sep 13 2008

Playing with Live Streams for SRT

Published by under Podcast

This morning Michael Santarcangelo and I will be playing with streaming the audio from an Security Roundtable podcast.  We don’t really have a topic or a theme for the podcast.  We don’t even have any stories to talk about.  We’ll just be sitting online, talking and testing out how to use the streaming software.  And let me tell you, this software has more options and tricks than I’ll use in a long, long time.

The stream will start at 7:00 am PDT at http://hak5radio.com:8000/SRT.mp3.m3u  I think.  I may have the URL munged up a little, so if that doesn’t work, try it with just the .mp3 extension. We have a guest lined up thanks to a tweet last night, but this really is just going to be 3 security guys talking about whatever interests them for about 45 minutes. 

If this works out, Rich and I may try streaming the Network Security Podcast when we record.  We can’t do anything as organized as actually have a set time and date for our recording sessions, but this will be one step closer to being able to do so. 

PS.  I created a channel for today’s session on IRC.freenode.net.  Predictably, the channel name is ##SRT. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 09 2008

Network Security Podcast, Episode 119

Published by under Podcast

Rich is back after a week at the Democratic National Convention and a week of vacation with his wife. He’s been out of touch between being in Denver and being off the coast of Alaska. He’d also just arrived home a couple of hours before we started recording, so tonight’s show is short, sweet and to the point. Which is probably for the best, since there were privacy issues up for discussion; I was barely able to keep Captain Privacy at bay.

Network Security Podcast, Episode 119, September 9, 2008
Time: 24:14

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 05 2008

What’s in my queue

Published by under General

There’s not enough time in the day to read everything I’d like to, let alone blog/comment on it. So rather than even try, here are a few of the articles/pages in my reading queue right now. This way I’ll at least be able to come back to them later when I actually have some spare time. As if that ever happens.

I’d add more, but something shiny has distracted me once again.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 05 2008

Just plain wrong

Published by under Government,Humor

This would be funnier if the TSA wasn’t actually including 4 year old children on the No Fly list. I don’t even know if the TSA actually does cavity searches, but I do know I don’t want to find out.
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 03 2008

Google willing to change (the EULA)

Published by under General,Security Advisories

This morning I was one step away from completely removing Chrome from my computer. Like the vast majority of people, I never do more than glance at the End User License Agreement (EULA). But luckily there are people out there who make a living reading EULA’s and interpreting what the legalese really means. And what was found in the EULA scared a lot of people on the Internet: Anything and everything you create in Chrome can be used by Google in any way they want.

That’s scary. According to this interpretation, if I write an email or create a blog post, Google has the right to “reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute” the content I created. And to make matters worse, it’s pretty much forever and anywhere.

The good news is that Google heard the collective screams of the blogosphere and have said “That’s not what we meant at all! We’re not evil, honest” And in an effort to convince us of their not-evilness, they’re going to change the EULA and make it retroactive for previous versions of Chrome. We can all breath a collective sigh of relief and go back to playing with our shiny new toy, Chrome.

EULA’s are nasty business, and to a large degree unenforceable. This is especially true in Google’s case, since they were releasing Chrome under the BSD license which has much broader licensing allowances and would supersede Google’s EULA. The other interesting thing is that you almost never hear of anyone actually trying to enforce a EULA to begin with; they’re meant to be a bunch of scary legal text that you can use to threaten an end user with. The reality is, most companies would rather drop a case then actually try to enforce a EULA, since there’s a good chance the EULA could struck down, there by creating a legal precedence. Which is why I doubt we’ll see a EULA challenge in court here in California; if the courts are going to scrap the EULA concept anywhere, it’d be here.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

« Prev - Next »