Andy ITGuy – Information Security Blog

Lately it’s been popular to post "25 Random Things About Me" on Facebook and other social networking sites. Although it can be harmless fun I’ve discovered that many people are not exercising caution in what they post. Kinda hard to believe isn’t it? So here is my list of "25 Random Reasons I Won’t Tell You 25 Random Things About Me"

1. You don’t need to know 25 random things about me
2. Privacy on the Internet is already bad enough and doesn’t need help
3. I’ve seen too many of my friends tell things about themselves that the rest of the world doesn’t need to know
4. I’ve learned things about them that could be used against them
5. I’ve learned enough to become them on other social networking sites
6. I’ve learned enough about a couple of them to quiet possibly open an credit card account in their name
7. I’ve learned enough about them to guess usernames on other sites
8. I’ve learned enough about them to be able to guess passwords or password hints on other sites
9. I’ve learned enough about some of their friends to do the same
10. I’ve learned enough about them to wonder why I was friends with them in the first place.
11. I’ve learned enough about their friends to make me glad I’m not their friend
12. I have learned enough about privacy and the insecure nature of the internet not to post too much about myself for the world to see
13. I’ve seen too many cases where simple, "harmless" facts have been used to hack accounts
14. There are plenty of random things about me that I just don’t want the world to know
15. Some of those things may make my friends wonder why they were ever my friend
16. Most people make it easy enough to find out random things about themselves without posting them on the internet
17. I’ve worked hard to build a good reputation on the internet and don’t want so ruin it in a moment of unguarded fun
18. Remember, much of what you post (if not all) can be seen by not only your friends but your friends friends also.
19. Even if you make it private vulnerabilities in web sites often lead to private being public.
20. Once you post it to the internet you can never take it back
21. There is a good chance that someone will find it that you didn’t want to find it
22. It can be used against you in the future and may cost you a job or promotion
23. The things that I want people to know are already known
24. I’m trying hard to keep the rest of it out of the public eye (not that it’s bad, just being careful)
25. You probably don’t want to know 25 random things about me.

There you have it. I welcome your comments and or suggestions of other reasons why this can be a bad idea.

According to this article on ComputerWorld.com Viacom has agreed to allow Google and YouTube to obfuscate the user names and IP addresses of those who view videos on YouTube. That is good news for all of us whether or not you feel that you have something to hide. It is still not a good thing that the Judge felt that our privacy had no place in this but hats off to Viacom and Google for working out this agreement.

One thing that we have to keep in mind is that when we allow our rights to be eroded little by little we will wake up one day and realize that we no longer have any rights. This is how we end up in places we don’t want to be. Every time we give something up or compromise a core value, belief or right we open up the way for a little more to be taken away at another time. A good example from life is telling a “little white lie”. We think that it won’t hurt but then we have to remember what we said, who we said it to, who knows the truth, etc… Then if we are called on to defend it we have to either fess up or continue to lie and slip further down the slippery slope.

To tie this into information security this is also how a hacker works his way into our network. He starts out looking for a small flaw or vulnerability and then over time he increases his level of rights and authority. We have to be diligent to keep our systems, applications and infrastructure in good order to prevent him from finding and exploiting flaws. If we compromise little things then later the big things will come back to bite us.

According to this article on ComputerWorld.com Viacom has agreed to allow Google and YouTube to obfuscate the user names and IP addresses of those who view videos on YouTube. That is good news for all of us whether or not you feel that you have something to hide. It is still not a good thing that the Judge felt that our privacy had no place in this but hats off to Viacom and Google for working out this agreement.

One thing that we have to keep in mind is that when we allow our rights to be eroded little by little we will wake up one day and realize that we no longer have any rights. This is how we end up in places we don’t want to be. Every time we give something up or compromise a core value, belief or right we open up the way for a little more to be taken away at another time. A good example from life is telling a "little white lie". We think that it won’t hurt but then we have to remember what we said, who we said it to, who knows the truth, etc… Then if we are called on to defend it we have to either fess up or continue to lie and slip further down the slippery slope.

To tie this into information security this is also how a hacker works his way into our network. He starts out looking for a small flaw or vulnerability and then over time he increases his level of rights and authority. We have to be diligent to keep our systems, applications and infrastructure in good order to prevent him from finding and exploiting flaws. If we compromise little things then later the big things will come back to bite us.

At least that is apparently what Judge Louis Stanton of the U.S. District Court for the Southern District of New York thinks. He has ordered Google to turn over 12 terabytes of data to Viacom. This data contains PERSONAL information on all YouTube users who have created an account and viewed videos. This data contains user ID’s, IP addresses and viewing/uploading history. Obviously this does present a teeny bit of a privacy concern. The good Judge Stanton dismissed Google’s privacy concerns as "speculative". That’s like saying if you put a unpatched Windows XP machine on the internet w/ a public IP address you MIGHT get pwned. Give me a break.

Viacom has NO need for all of this information. If they want to know who uploaded what that is a different story. To say that they need to know who watched what is a violation of our privacy rights. This article from ComputerWorld reporter Heather Havenstein has a good write up on the ruling along with this quote from Michael Arrington

"Handing over user names and a list of videos they’ve watched to a highly litigious copyright holder is extremely likely to result in lawsuits against those users that have watched copyrighted content on YouTube," he wrote. "[The judge] clearly doesn’t understand that far more data is being transferred than is necessary to comply with Viacom’s core stated concern, which is to understand the popularity of copyright-infringing v. non-infringing material.

"Viacom has asked for far more data than that, and there’s only one use for that data: to sue individual users (or shake them down via the threat of lawsuit, which has been perfected by the RIAA) who have watched a few music videos or television shows on YouTube,"

That’s right, he said coming after you and me for watching these videos. Some would say that is far fetched but when you look at what the RIAA has done to some who share music then you kinda begin to think that there is some credence to this.

This is also just more proof that those in the legal profession need to have a better understanding of technology and the implications of what may happen when they order things such as this. Fear that this data may be used beyond the scope of the order are not speculative. Even if Viacom doesn’t use the data to come after viewers it could be compromised and then users could be blackmailed or publicly embarrassed for their viewing habits.

I’m on Twitter. I don’t use it much. It’s mostly a novelty. I use it to converse a little and to see what others are talking about that may be of interest. Sometimes I find good things to talk about in regards to Information Security. This is the main reason that I joined Twitter. A few of my friends from the Security Catalyst Community had accounts and so I thought I’d see what all the buzz was about. Soon after that Jennifer Leggio (MediaPhyter) created a "Twit List" of Security Professionals. It’s lovingly called "Security Twits".

I’ve noticed that the level of participation varies from person to person. Some twit almost constantly. Some twit rarely. Some twit from work, home, school, conferences, birthing rooms, cars, airports, just about any where you can imagine. Some use the web interface while others use IM clients, Twitter clients, or their mobile phone/PDA. The twittering varies also in content. It might be a "I’m currently doing <fill in the blank>. Sometimes it’s asking questions, posting links, making comments. Talking about sports, work, anything and everything.

What I’ve noticed though is that some people tell a little too much information. They seem to forget a couple of things.

1. There could be lots and lots of people following them who do nothing but "lurk". They don’t twit back. They just sit and listen. Who are they? What are the listening for? I know that I’ve had people "follow" me who are following thousands of people. There is NO way that they can be keeping up with all the conversations. So what are they doing? Are they harvesting all you say for some other reason? Research, information gathering about your company, looking for a way to discredit you, blackmail?
2. Some people who are at work twit a lot about what they are doing and it’s not work. Sure it may be a slow day and maybe the company doesn’t mind you doing non-work related things from time to time, but then again, maybe they do.
3. It’s still the Internet which means that once you put it out there it’s out there to stay. Remember there is NO privacy on the Internet.

So, my fellow "Tweeples" (as Kevin Riggins likes to say) be careful out there.

MySpace has been a Security Professionals, Privacy Rights Advocate and Parents nightmare from the beginning. Between the security vulnerabilities, privacy concerns, ease of ruining or tarnishing your reputation and ability for predators and others to harass you there has not been a lot of good to come from MySpace. Of course all of this is my opinion. There those who love MySpace and don’t think the issues associated with it are any greater than any other social networking site including business related sites such as Linkedin or ITToolbox. In fact some say that all web sites present equal potential to do harm to you or your computer.

Even though I’m not a big fan of MySpace I have to give them credit for working towards making things more secure and safe for their users. They are working with the Attorney Generals from 49 States and the District of Columbia to come up with a plan that hopefully will be adopted by most other social networking sites. NetworkWorld has a write up on it here. You can read the article and also find the original document to read.

Some of the things that they are doing are:

• All profiles of users under 16 years old are automatically set to private
• No one over 18 can view the profile of anyone under 18 (w/o jumping through hoops)
• No one under 14 can have a MySpace profile
• Create a database or email addresses that can’t have a profile (parents can add their kids to this database)
• Monitor and remove inappropriate material uploaded
• Break links to porn sites and other inappropriate sites.

These are all good and well to help make things safer and hopefully guard privacy of our kids. Unfortunately most of these can be easily gotten around.

• To keep my profile from being set to private automatically I just lie about my age
• To be able to view and contact those under 16 I just create a profile of someone under 16
• If I’m 12 I just lie about my age so I can have a profile
• If my email address is blocked I create a new email address

So, as good as it seems most of this is just fluff designed to make us think that MySpace and other sites are safe for us and our kids. It will encourage deception and create a false sense of security for kids and parents. This will lead to less monitoring by parents and more risky behavior by kids.

Like it or not parental monitoring of sites such as MySpace is the only way to ensure that your kids are safe and not doing things that they shouldn’t be doing and to lessen the possibility of them communicating with those they don’t need to communicate with.

When I wrote my post on the SSN fiasco earlier this week I started to title the post
“Is Privacy Dead?”, but I decided against it for lots of reasons. It’s an over used
statement, it’s been used before on other blogs, etc. Then today I listened to the
latest episode of Secuirty! Now and what was the title? “Is Privacy Dead?” It was an interesting episode that was very light on “true” security content (many would say that all episodes are light on true security) but had some interesting information.

I think most of us have known for a while that remaining anonymous and retaining full
privacy is a thing of the past. Just when we think we have found the way to hide our
tracks someone else finds a way to follow us. Just about everything that we do is
monitored. Our TV viewing habits, phone calls (or at least who and when), what we buy, what web sites we visit, when we go through a toll booth w/ a “FastPass” type of
technology, who we IM and text message, what music we download, what movies we rent
and on and on and on. These are just a short list of things that someone is watching.

What is bad about this for the average person is that there is little in the way of
control as to what happens to the data. Rarely, if ever, do you have a say in what the company that has the data will do with it. They may sell it, store it, give it away, use it to “profile” you, make recommendations on ads to push to you, products to sell you, which department of the government to pay you a visit. It’s just mind boggling.

Why can’t we just live our lives and remain somewhat anonymous? Why do all these companies need to know so much about us? I know the answers to these questions. At least the reasons that they give, but I just want to be me. I just want to buy my milk and bread without being told that other people who bought milk and bread also bought beer and chips.

We have to rethink what we decide to try and keep private about ourselves. Do we care
that the grocery store knows that we always buy a certain type and flavor of Ice Cream? Is it worth saving 50 cents a tub? Probably for most of us. The same goes for our browsing and buy habits online. Most of us aren’t doing anything that we don’t want others to know about so we don’t care.

What is the problem then? The problem is that we risk becoming apathetic and then when something that really matters comes along we let it go without asking why or doing something to prevent it. The loss of something usually starts out small and then slowly gets bigger and bigger until it’s gone.

So, who has your data? Who knows what you do? It may not matter now but I think that you need to care and take steps to limit it.

1. Ask why a company needs to know this much about you in order for you to save a few cents.
2. Ask what other options you have other than giving out PII about you.
3. Ask then what data they collect, what do they do with it and who do they share it with.
4. Ask what controls do you have over the data and what they do with it.

Then make a decision.

• Do you go ahead and give in?
• Do you not give out what you don’t have to?
• Do you “opt out” of what you can?
• Do you make up some of the information so they can’t track the “real” you?

They aren’t going to quit collecting data and the bad guys are getting better at getting to it so you have to decide what to do. Protect what you can and make plans to recover if something bad happens with what you can’t protect.

Robert over at the Errata Security Blog writes about a fear that he has. He read a post that made him start to worry more about the possibility of encryption being used against you. I think I agree with him. Our rights are being eroded almost every day. A new law is passed or a judge with an agenda makes a ruling that makes it illegal for the average person to do something that is completely harmless. Already in some countries rights have been taken away all in the name of “security”. Handguns have been banned and made illegal, encryption keys are required to be given to law enforcement, etc…

Robert has a method that he suggest that all of us use to do a couple of things. One will make it much harder for law enforcement to determine what is actually encrypted data and what is just random “junk”. The other will make the daily use of encryption more acceptable and “normal”. The purpose is to increase the use of encryption so that it is considered something that the normal person would do. Kind of along the line of the “Reasonable Person” rule used in many legal cases.

I like the ideas but the method is not for the faint of heart. Many IT and information security pros would have difficulty making sense of his plan unless they are very familiar with cryptography. So it is out of the question for the “average Joe”. Not to mention many would have moral and religious issues with carrying around a DVD full of encrypted Porn.

My suggestion is that we, the IT and Security community, need to do a couple of things. First, we need to make sure that we use encryption on all of our personal systems. It’s a good idea from a privacy and security perspective, but even if you don’t have anything to hide use it just to increase the number of people using it for normal and legitimate reasons. Second, we need to encourage and teach our friends and family how to use it. There are several free and low cost options for encrypting our disk or data. Third, we need to create a plan to get the word out to the rest of the world. We also need to create some easy to understand guides that we can make available to anyone. They need to be done is such a way as to be usable by most anyone without them needing assistance from someone who understands encryption.

This is a big challenge, especially number 3, but I think we can do it. How is the question. I have posted this question to the forums over at the Security Catalysts Community also. So between them and us we can come up with a plan.

Bruce Schneier writes about a new Cell Phone Service that actually acts as a bug and records 1/3 of the audio it picks up. These devices are supposed to be “marketing” tools, but in reality they are privacy invaders. Obviously this is not something to take lightly. Our privacy is getting to be harder and harder to protect. Now we have to deal with something such as this.

One of the comments that was posted said that the people choose to sign up for it so it’s their choice to give up their privacy. That may be so but it’s not my choice to give up my privacy if I happen to be talking to you or within recording distance of you. Many people just don’t get it that they don’t live on an island all by themselves. The choices you make will affect others.

This article on CNET.com makes my skin crawl. I know it’s not new information but it just doesn’t sit well with me. They say that due to the fact the the microphones are 3 to 4 meters off the ground that they can’t pick up normal conversations, but we all know that it won’t take much to change that. These are the things that are slowly stealing our privacy and rights.