Facebook Hangover

On Dave Farber’s list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says,

What do Facebook, the CIA and your magazine subscription list have in
common? Maybe more than you think…


Trust me, it’s worth the look.

And indeed it is worth looking at, along with Patrick Schitt’s contribution of the background documentation.

I found the “smackdown” a refreshing antidote to much recent discussion about young adults and their attitudes about privacy. Perhaps some of it is hyperbolic; anyone associated with the Internet back in the days when it was the Arpanet has similar ties. But let’s look at the larger issue.

Over the last year or so, there’s been a theme going around the media about how kids today are much more comfortable with personal information out on the net. There have been dramatic news stories about it and I have had the privilege of seeing a few panels at universities about that subject amused by the walking oxymorons — well-known privacy activists — who participate.

The continued democratization of personal information is not an unalloyed desirable thing, but it also a fact of life. At lunch yesterday, I snorted something about how if you can’t find the home address of anyone sitting at the table in less than five minutes, then your search-fu needs brushing up.

Many of those stories and discussions have had as an implicit or explicit theme that old people (those who got their first email address during, not after, the dot-com boom) can learn something from these young adults. However, young adults are well-known for risk-taking behavior. They get drunk, drive fast, take drugs, sleep around, put their hearing at risk, and do many other things that older people do not do (or don’t do anymore). The mainstream media has credulously swallowed the notion that not caring about privacy is youthful wisdom rather than youthful indiscretion.

Many young adults wake up one morning with a pounding headache, fuzz on their tongue, a wretched feeling in the gut that they’ll learn one day is acid reflux, the distressing feeling that they are not comfortable with the place nor manner in which they woke up, and the feeling that they may have done some things that it’s perhaps better that they don’t know they did. Over time, this leads to behavior modification.

When one is suffering from a hangover, one often says intemperate or hyperbolic things about that which got one in that state. Even if the Facebook Smackdown contains hyperbole, I view it as a Netizen Hangover.

Facebook has a privacy and information use policy that is skewed slightly to Facebook over its users. In a normal state of mind, one might respond to this with, “yeah, whatever” particularly if one is of an age that “yeah, whatever” is part of one’s active vocabulary. If one has the unpleasant feeling that one has made a fool of oneself in public, the response might be, “ZOMGWTFPWNED!” Facebook also has investment connections that could get either the two previous responses.

This hangover plots some points and draws lines between them. During a hangover, one might forget that just because one can draw a line between two points, one isn’t obligated to draw a line between them. Furthermore, when one does those little connect-the-dots puzzles, order is important; that’s why they put numbers by the points.

As one holds one’s coffee with both trembling hands while tending that hangover — Facebook can do pretty much anything they want with all the information in it, and there are few degrees of separation between Facebook and the parts of the government that want to find bad guys through data mining, the thought that Facebook might get you on the no-fly-list doesn’t sound unreasonable. It’s easy to wonder between sips if one’s internship will be in Gitmo. Are they mining Facebook to look for bad guys? Probably not. Could they? Sure.

Nonetheless, there are many lessons one learns as one gets older. Every generation learns something new that they have to carefully explain to their kids (“I’m not ashamed of what I did, but really, I recommend thinking twice or three times before doing what I did.”) A cavalier attitude to privacy may end up on that list sooner than we think.

She’s Such A Geek

Longtime geek author Annalee Newitz and Charlie Anders, published She’s Such A Geek last year. I’ve been meaning to blog about this for a while It’s a collection of over 20 essays by women geeks. These essays cover the trials, tribulations and joys of being a female geek. At times entertaining and other times depressing, the book highlights both how far feminism has gotten over the last hundred years and how much more it has to accomplish. I can’t recommend the book or the associated blog enough.

TSA Can’t Keep a Secret

Alternate title: “If schadenfreude is wrong, I don’t want to be right.”

Ryan Singel reports that the “TSA Lost Sensitive Data on 100,000 Employees.” This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. You know, for all those people who are too dangerous to travel, but not dangerous enough to arrest.

A hard drive containing sensitive information including social security numbers and bank account information on 100,000 Transportation Security Administration employees has gone missing from its headquarters and the FBI has been notified, according to a 7 p.m. EST [Friday] press release from the agency.

Remember, you have a few days left to stop REAL ID. If you do, the TSA’s next lost laptop will contain less data about you.

Interesting Stuff From Microsoft

My colleague Dave Ladd has a post “Security Education v. Security Training:”

Unfortunately, there’s an assumption held by many in our (IT) community that the road to better security leads to “drinking from the fire hose” – that is to say, employees are rocketed through week long training classes, then drilled and tested on security topics. Without the necessary exposure to secure systems design and concepts, more often than not these classes simply become a blur.

Over at the Old New Thing, Raymond Chen has a really interesting post titled “How my lack of understanding of how processes exit on Windows XP forced a security patch to be recalled:”

I was one of the people brought in to study this new behavior, poke holes in its design, poke holes in its implementation, review every line of code that changed and make sure that it did exactly what it was supposed to do without introducing any new bugs along the way. We found some issues, testers found some other issues, and all the while, the clock was ticking since this was a security patch and people enjoy mocking Microsoft over how long it takes to put a security patch together.

Encryption Is Security Theater

Last night I was talking with a certain analyst from a large company that we’ve all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and in many cases not even then), use of encryption serves as nothing more than providing a false sense of security.
This is particularly true in the case SSL. SSL is probably the most deployed, least useful security technology since tin foil underwear. Gene Spafford (as usual) put it best years ago, and nothing has changed:

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”

Take a look through the various breach databases. Is there a single case where the breach could have been prevented by the use of transport level encryption? I have yet to find one.
But what about CA1386 and it’s brethren? Or PCI? They mandate encryption. PCI dropped the requirement with the move to 1.1 so clearly they didn’t see any real benefit of it. As for CA1386 and the like, although use of encryption does provide one with a get out of jail free card, all of the practical ways of applying encryption to online systems means that hacking the server means you have access to either the encryption keys or that the database is already decrypted for use.
Which brings us to data at rest. Encryption is only as good as the password/passphrase that protects the keys. Users are notoriously bad at selecting good passwords. This combined with the fact that the more popular disk encryption programs automatically decrypt the data for you on the basis of your login credentials (EFS, Bitlocker, FileVault, etc) so in many cases again one actually isn’t that well protected. On the plus side, tools like PGP, BitLocker and others are well suited for protecting data at rest when they are separated from their keys. Particularly USB drives and the like.
So when doing a risk assessment, please don’t assume something is secure because it uses encryption and please don’t assume that whatever issues there are can be fixed by adding encryption. After all it is just security theater.
[Edit: Corrected a typo. Thanks Gavin.]

Breaches in SEC Reports

Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports:

At your Shmoocon talk you mentioned that you had difficulty finding
SEC filings related to security breaches. I was doing some research
and came across several SEC filings that discuss security breaches.

Generally, these items are going to appear in either a 10-Q or 10-K.
Typically, this will be some boilerplate warning in the risk factors
section such as:

A material security breach of our information systems or data could
harm our reputation, cause a decrease in the number of customers,
and adversely affect our financial condition or results of operations.

He’s found that this Google search against the edgar-online site
works well: (“disclosure of personal information”|”security breach”) (“10-K”|”10K”|”10-Q”|”10Q”) site:edgar-online.com

I haven’t had time to read all of these, but being a fan of evidence, I wanted to share data points as I learned them.

Stop Real ID

So I was a little curt in my bloviation the other day about the REAL ID forum. There’s good people doing real work to stop this thing, and they deserve your help and support.
Over 40 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations have joined to launch a national campaign to solicit public comments on Real ID before the May 8 deadline … no matter what your political persuasion or individual perspective, you’re likely to find somebody there you agree with. See http://www.privacycoalition.org/stoprealid/ for more information.

To keep up with what else is going on with Real ID, subscribe to http://stoprealidnow.blogspot.com

“The vendor made me do it”?

Via StorefrontBacktalk comes news that

Following lawsuits in February against some of the nation’s largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors.
In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS vendors, saying that the retailer relied on them and if the retailer is liable, then the POS vendor should pay for it.

Interesting defense. I wonder if it will also be used by anyone who has been illegally improperly storing payment card mag stripe data? There have been some high-profile cases of this occurring, and (as reported by Bob Sullivan at MSNBC)
Visa issued a warning to retailers about inappropriate mag stripe retention by some POS software utilities last year.

Flash Data Breach


The Hartford Courant reports that a Lockheed employee dropped a USB flash drive at a gas station that contained Joint Strike Fighter information. A truck driver found it and “took it home for a 20-minute look-see, then turned it over to authorities.”

I have three words of advice: full disk encryption.

Photo courtesy of POONDOG.

DHS Sends a Flunky to Do A Man’s Job

So DHS has managed to cancel all but one “Town Hall Meeting” about REAL ID. They’re sending a “Richard Barth, Assistant Secretary, Office of Policy Development” to talk to the fine people of San Francisco about the travesty of a national ID card which is REAL ID.

We’ll waste $20 billion dollars on this nonsense, and it won’t make us any safer.

What more do you expect from the Bush administration?

I’d write something rational and balanced, but the other side sure doesn’t, so why bother?