Thursday, May 6, 2010

FaceBook: It's not just about privacy, it's the principle.

Lots of people are annoyed at FaceBook with its deployment of Instant Personalization and what it has done for privacy, and I'm one of them.

So, first, what exactly has FaceBook done? Basically Instant Personalization means that when you visit any of their partner sites they will share information about you in order to "personalize" your visit. Currently its just three partner sites, but that number is sure to grow (as is what they are going to share I'm sure). And unfortunately not only is the Instant Personalization something you are automatically enrolled in, you have to opt out of each partner. So every time they add a new partner, you have to go opt-out from that new partner.

That's two sins in my book: making a privacy-eroding feature opt-out instead of opt-in, and making the opt-out unnecessarily complicated.

It's become clear to me that FaceBook has prioritized their business over their user's privacy and they have a long history of doing so.

A lot of the complaints that I've seen on the Internet go along the lines of: "FaceBook is eroding privacy" with then get countered by "you are a fool to expect privacy on the Internet."

I have no problem with sites that don't give you privacy - I use Twitter without problem, the difference is Twitter makes no promises of privacy. Anything I put on Twitter I know will go out for the world to see. I have no expectations of privacy and that's fine,.

I think Adrian Perez put it well:
"I joined Facebook under certain conceptions that it was a somewhat private place. It used to have a clean interface, especially compared to MySpace. And now it seems that there is something every month where they have started to sell or give more of my stuff to some company without my knowledge."
FaceBook has sucked us all in and now has pulled the old bait'n'switch. That's what annoys me. It's not that I've ever posted anything on FaceBook I'd be concerned about going public, but I'm sure finding myself thinking harder to make sure that's the case.

The main thing is that I have friends and family who are more sensitive to privacy on FaceBook than I, and several years ago when I was asked I would say "It's fine. Just make sure you have the right configuration and you'll have privacy." Well, now there is no way I can say that any more. Even I, as an experienced cybersecurity professional who has written policies in the most complicated policy languages you can imagine, have a hard time understanding FaceBook's privacy controls. Plus, it's a treadmill with new settings to constantly tweak.

FaceBook had made me regret ever endorsing them. To anyone I've ever suggested it was a good thing, I apologize.

Where does that leave me?

I really do still get a lot of value out of FaceBook - interactions with friends and family. Their large number of users gives them a network effect which in turn gives them the equivalent of vendor lock in. I'd love to pick up all my friends and family and move them, but that's really hard to coordinate. Plus I'm not even sure if any good alternatives exist.

What I've decided is that I'm not going to delete my FaceBook account. I'm going to keep my account, but cleanse it of all photos and basically any other information on my profile. I'll keep using it to keep up with my friends and family, but I'm not going to post any new content there myself. My Twitter updates and blog posts will appear there (i.e. stuff that is public already), but I'm giving FaceBook nothing about myself to use in any way.


Friday, April 30, 2010

Cybersecurity: Can vs Will, a question of economics.

I read an article on a panel held at an event hosted by the Center for National Policy in Washington which asked the question: "Who can do a better job of protecting us from cyberthreats: private companies like Google, or Uncle Sam?"

While this is a good question, one that I think is more important is "Who will do a better job of protecting us?" (Or perhaps, "Who is us - the company or the American people?")

In my mind it's a question of what the entity's motivation is. In the case of companies, that motivation is driven by economics.

I'm sure companies will slowly but surely do a better job of protecting what is important to them and their financial well being - e.g. trade secrets and other vital data. But what protecting what isimportant to me? Increasingly our data is in the hands of companies and the consequences of their losing this data to a cyberattack fall not with the companies, but with the person whom the data is about.

Economics says it only makes sense for a company to put a reasonable fraction of the potential damage to the company that would result from that loss of something into it's protection. That's fine, but what if that thing has much more value to someone else, such as my medical records in the hands of my local hospital? If their systems get hacked and my records get stolen, really it's of little harm to them directly, but it's of great consequence to me.

This is where government has to play a role through regulation and setting standards. As with Sarbanes-Oxley we need to hold companies to higher standards not because it's in the best interest of the company, but because others are harmed when the company fails to act properly.

Monday, March 22, 2010

Cybersecurity Act of 2010

The proposed Cybersecurity Act of 2010 sounds good. Funding scholarships and academic programs is very good - having more and better training people is ultimately the best thing we can do for cybersecurity (more so I believe than any technology advancement).

Increasing collaboration between public and private security, as well as organizing the federal government are also good goals, but a high bar. Just think how well we've managed to organize existing law enforcement - it's a tough task filled with lots of turf wars and communications challenges.

Edited to add: This bill would be reconciled with the CyberSecurity Enhancement Bill I blogged about previous.

Friday, February 26, 2010

The power of the Off Switch: You'll never miss it until it's gone.

If you grew up a Star Trek fan, you've probably seen the episode where the computer runs amok, putting the whole ship into danger. The crew has to figure out some clever, complicated means to stop the computer and save the day: asking it to compute PI to the last digit.

If you were like me, you watched this and at some point asked "Don't they have an Off Switch for the blooming thing?" (At least in the movie 2001, they put a guillotine on the computer's power line.)

These memories came back to me recently when I read a stinging critique of the problems with the Toyota Prius and the fact that if it malfunctions, it doesn't have a proper Off Switch - just a button you have to hold down for three seconds (and hope the software bug doesn't make that malfunction). In the past, I'd seen similar criticisms of other devices, like the iPhone, but this is the most serious context for the criticism.

Bringing this into the context of security, I strongly believe being able to Prevent, Detect and Respond are the three pillars of any good plan. In the worst case, when you really lose control, Respond means being able to disconnect or turn off the device in question.

Well, without an Off Switch, you lose the ability to deal with this worse case scenario. With Prevent, Detect, Respond it is important not to put all your eggs in one basket, or, as not having an Off Switch points out, it's important not to remove all the eggs from a basket as well.

Friday, February 5, 2010

Google and the NSA

The NSA is going to help Google with figuring out what happened with the recent cyberattacks it suffered and how to make itself safer in the future. I've seen discussions about this, both pro and con.

I think it's a good thing, assuming NSA's involvement is limited to consulting as opposed to operating. Of all the government agencies, the NSA seems most advanced in terms of cybersecurity and I suspect they have enough expertise they could be of help, though I suspect Google has a great deal of expertise and the main thing NSA brings to the table in this case is information about the attackers and their techniques.

I think Google is important enough that anything that makes Google safer is good for all of us, in the same way improving the safety of airlines, food supply chains and the electric grid is good for all of us.

I also think it's natural for the Government to have a role in a company responding to cyberattacks. As a colleague pointed out, if a company found a body in their lobby they would have to call the police, no one would think twice about doing otherwise. But there is no such requirement for a company suffering a major cyberattack, and given how much data about and belonging to us companies are increasingly holding, I think having greater transparency in responding to cyberattacks is the right thing.

Though I think our government has a ways to go to really be up to this task in general.

Some good news: Cybersecurity Enhancement Bill passed by house

The house passed what looks like a very well thought out CyberSecurity Enhancement Bill. What I like about it in particular is it has an educational aspect and a social/behavior research aspect to it, both under the auspices of the National Science Foundation (NSF). I think this is a great direction - ultimately having more, better trained cybersecurity professionals and understanding the end-users better is at least as good as any new technology to make us safer. And having NSF do this gives me great confidence that the results will have broad impact rather than being sequestered as "sensitive".

Monday, January 25, 2010

Good summary of Web Security Vulnerabilities

Nice article in Smashing Magazine summarizing all the different web security vulnerabilities: cross-site scripting, path transversal, sql injection, cross-site request forgery, etc. (via Bruce Schneier)

Thursday, January 14, 2010

Mikey Hicks, 8, Can’t Get Off U.S. Terror Watch List -

Mikey Hicks, 8, Can’t Get Off U.S. Terror Watch List - "At some point, someone named Michael Hicks made the Department of Homeland Security suspicious..."

A problem with identity in the real world is that it's hard to uniquely identify someone. A name is rarely unique enough (even for me, with a rather unique name, there are at least two other people in the U.S. with the same name). Adding the middle name certainly helps, but is not full-proof.

Adding other attributes, like a street address, certainly helps, but those attributes tend to change often, so you have to have a history of them which complicates things greatly. It's hard to determine this is the John Smith who used to live at 123 Main Street.

The other option is biometrics: fingerprints or even just a photo. But now you need online databases, software and readers which are expensive (and what do you do when they break?). Plus you have to worry about privacy and theft of the data.

Sunday, January 3, 2010

Moxie Marlinspike SSL video

Happy New Year! I'm catching up on some of the material I wanted to blog about last year, but just didn't get to. This post is about a talk which is definitely more advanced and for someone interested in learning about cybersecurity, specifically secure web browsing, in more depth.

One of the security vulnerabilities that made news in 2009 was a hacker/security researcher, going by the name Moxie Marlinspike, who found an interesting vulnerability in how we have implemented PKI, which provides identities for SSL/TLS, which provides the security for HTTPS. Whew, that's a lot of acronyms, sorry, the short version would be "how we do secure web browsing".

While the exploit has largely been dealt with at this point, Moxie's talk is posted online and is interesting to watch from an educational perspective because it gives a good overview of HTTPs, PKI and the fundamentals of secure web browsing.

The exploit itself is also interesting it that it shows how a seemingly innocuous thing (how we choose to encode strings) can come back to bite us. Moxie also touches on how this exploit could be used to attack OCSP and automatic software updates. It's a good example of how a little thing can be extended to attack complicated systems.

The video is about an hour long. It does include one use of adult language (sh*t).