So the Apple issue hit the web news yesterday.  All the “OMG HAXXX” and Fox News proclaiming your spouse or employee can monitor your every move stories hit the web and to the non-technical people this seemed like the worst thing ever.   The first thing that came to my mind?  I thought “This is awesome what can I do with my own data”.    I’m not alone with this, my wife’s first reaction? “Ohmygodthisisawesomewhatcanwedowiththis?”  She is also an extremely private person and more privacy conscious than I am.   I am privacy concerned on issues – when they are real issues.  This, so far, is a fairly non issue.   My favorite quote about this yesterday was by @adambaldwin – ” iPhone stores a record of everyplace you visit. In other news your browser can also set cookies.”

So last night after my son went to bed, I pulled out the laptop and dug into the issue to see what I can do..  Unfortunately we don’t have a modern apple computer in the house.   The instant visualization software is for OSX only.  The only OSX machine we have currently is a first-gen mac mini.  Seeing the file should be the same I used my normal day to day netbook and started the process.   This page gave me all the information on dumping the file.   The pages main focus is the OSX application that I mentioned.   Checking what I would need I had python installed, but grep was not on this computer.   I installed grep and started to dig in.   There was a bit of confusion on my part on which python script was the correct on to parse the file with.  After I did get the correct one it through back errors. I am hoping to get time this weekend to start digging into it again.

I spent the remainder of the time jumping from forum to forum reading about the file structure and seeing other dumps of this file.   On one forum thread, there was another individual that had a different take on the file:

Righto, calm down, it’s unique information for each router found. It’s not tracking your location over time or you’d see dupes. Here’s the transcript, errors and all – the important part is the uniq -d at the end which searches for duplicate MAC rows. There are none.

So his analysis would seem to say that this was part of the “assisted” GPS function of iOS.   This would make sense because it is quite a bit less resource intensive than the GPS chip in the phone.    Another story I have heard that it is cell tower triangulation data – which in the area I live would only give a general location and not be accurate at all.  If it is part of WiFi tracking for assisted location-based tracking – then this file actually makes sense.   This data would have to be stored in the phone to be effective – the argument would then be if it should be in plain text or not.   Finally I have heard it is both WiFi routers and cell towers.

I also had one other thing wrong talking to friends about this last night.  Currently there is no law passed (many pending) on how long telecoms are required to keep your data.  This information is more in depth than just this tracking information in the file.  This data IS accessible by law enforcement agencies without a warrant.   So I am more concerned about my privacy from that angle than a text file included on my computer in an iPhone backup.

While driving into work today I was listening to This Week in Law.  There was a discussion on mistrials that are occurring because jury members have been using Twitter or looking up information online.  You can’t put the genie back into the lamp for the internet, so it’s something the legal system is grappling with right now.   This caused me to drift off and start thinking like any good person that likes to manipulate the system, especially if it is within the rules of the system.

I had to report for jury duty last year.   Leading up to it all I could think about was ways to try and get out of it.   None of my ideas seemed feasible or held water enough to try.  I gave up trying to find a work around and showed up.   So this morning listening to the podcast, the idea of getting out of jury duty again popped in my head – though it had no immediate bearing on me.  The closest I could come up with as a new idea in this digital age that scares the current legal system – blog about your local -county – state legal system.  Seriously let’s work through this scenario, if you were asked to sit on a jury and they ask you if you know anything about the case – you say that you wrote a blog opinion article it on just a few weeks ago.   Dismissed.   You would still have to show up for selection, but if you did regular postings of cases that would go to court – you should never have to serve.   You would have had a preconceived opinion going in – and that’s a no-no for the legal system.

As another FYI – I’m not sure how this would pan out if you figured out what case you would be on and wrote a single article on it.  Another option would be to start a message board with a post for every offense in the community (granted all of this is huge invasion of privacy, but we are looking at a bigger picture).   If your neighbors are on a message board or your blog, leaving opinionated comments – they would likely be dismissed also.

The government wants you to be an informed citizen, just not an opinionated one.  If you can prove you had preconceived opinion (and don’t make them something you can get sued for libel with) – then you should be dismissed in any jury selection process.

Have I missed anything?

Spammers as part of the conversation, how do you resolve this?  I understand how to deal with normal blog spam, ala “Check out my webcam or herbal remedies here”.   What do you do when they take part in the conversation.   The spam part comes into their website link, but they are actually commenting on topic to the post instead of willy nilly going through and posting things that have no bearing on the topic.   So how do you deal with these topical spammers?

For the moment I’m letting most of them slide.  The ones that have attempted to impersonate my top commentors, I don’t care how on topic they are, I know those commentors email addresses and I’m not going to let that little tactic stand.  I find it funniest when it is the ones impersonating my wife.   I don’t have anything to show you as an example since I’ve removed all of those posts.

My question to you is, how would you deal with this situation?

While shopping for cars this weekend, we decided to do a VIN history check against the cars we were looking out.   While we didn’t find any that had been in a flood or a wreck (the things they scare you into doing these checks), we did find a few cars that had been used as rental cars.  When you are doing these checks there are really only two major companies to do them with, you have a choice of CarFax or Autocheck.  I’ve used CarFax in the past, so I decided to try out Autocheck.  Both offer the same information, and if I had to tell you to use one or the other, I would tell you to choose whichever is cheapest for the day.

So I signed up, handed over the credit card number, and suddenly I was logged in.   I was iffy because they never prompted me for a password, yet there was a log out button at the top of the screen.   This was supposed to allow for unlimited searches for 60 days, so how is my account secured?   Not wanting to close the window I was actively working in (just in case) I opened another browser and attempted to login.   It asked me for my email address and click next.   I was then logged in – no password at all.

Now it doesn’t seem that you can review your look up history, since all historical lookups are sent to you via email and they are not stored on the server.   What it does allow is people to bypass account security since if you know an email address of someone with this service you can get your own searches for free.    You would think this would be at least slightly more secure since it’s run by one of the largest credit agencies.

One thing that has always annoyed me about WordPress is it’s “I don’t think about security for features” attitude.    Over time they have locked down the APIs a bit more.   They are now disabled by default.  Default passwords are complex when using a suggested one in the current version.   So what is my complaint?

Posting by e-mail is the easy way to take over your blog, at least in the content side of things.   For someone that crossposts, this could be a doubly evil attack.   This is why I have no good method for posting by e-mail on WordPress.  Essentially it is either on or it’s off.  Currently I have mine turned off, even those this could be a real boon to me when I am mobile.

There is one simple method they could do to adjust this and make it usable without worrying about someone finding out your “secret” e-mail posting address and posting things on the front page of your blog;  give you an option to allow the posts to show up as drafts (since I would also like to do some final formatting before publishing an article anyways).  There was a plugin called Postie which I used for my life archiving project, but I could never get to run automatically – so I gave up on that solution.  It is still a function that I desperately want.

I received advice once that if you posted to your blog via e-mail from an unknown e-mail address that it would post it as a draft post (i.e. not showing on your front page).   I did some testing on this, it’s a false rumor.   It so gave me hope.

So which version of WordPress is going to plug this whole and just give you the option to set e-mailed in articles as drafts?

Actually it updated yesterday, but I didn’t receive the notification last night to update it within the admin console.  I looked and looked for it, this morning it finally popped up.  Go here to see the changes between 2.7 and 2.7.1.  Now be a good blogosphere citizen and update your blogs.

So I’ve talked about my hosting provider before, their tech support isn’t the brightest crayons in the box.  It seems whatever issue I have with them, they don’t read what exactly I want.  Key word analysis is great guys, I did it when I worked phone support at Symantec.   What I didn’t do is misinterpret everything the customer said on every single issue.    If something isn’t working you have to fix it.

Warning for the non-geeks that read my site, this is about to get technical.

Let’s go back to the beginning and flash forward to present day.    In September I really wanted to implement SSL for the administration section of my blog – simple, easy, and secure.   The biggest reason for this was the WordPress 2.7 series offered better support for SSL, so now why the time to implement instead of hacking around with plugins for support.  This turned out to be not so simple.

Online I found my hosting provider is supposed to offer a server self signed certificate, so I sent the following message to tech support:

Is there a shared server certificate for SSL that I can use for my wordpress installation?

Now I’m fast and willing to pick through things on my own, so before technical support could reply I added this second message to my brand new ticket.

I found the SSL manager in cpanel -

1.  Do you have instructions on properly generating your SSL key for use with
this (wording might be wrong – but how to configure this so I can use it with
my creeva.com domain?

2.  Do you instructions on using this with wordpress?

Simple and straight forward I thought.    Here is what I got back:

Hello,

If you install the  shared SSL for the domain, you will be getting warning when
you take the site.

It is better to purchase SSL from third party godday.

Please check the link given below for installing SSL.
http://www.cpanel.net/support/docs/11/cpanel/sec_ssl.html

In case you have any more queries, please don’t hesitate to contact us with
all the required details. We’ll be happy to assist you further.

Let’s throw the little bit of broken english aside for a moment and break this down.  I am aware (of course they don’t know this) that I will be getting a certificate mismatch error when I login to the SSL site.  Problem one I see is that they are sending me a third party, yet they sell an SSL service – I find this odd, but Godaddy (I’m assuming that was what he meant) is cheaper.  Good customer service?  Maybe.  The other problem is that he sent me the instructions to doing this in Cpanel 11, all fine and good, but they have all of their customer on Cpanel 10.  The instructions were similar and I followed them.   After implementing the changes I attempted to go to my website on HTTPS.   Firefox through out the following message:

Secure Connection Failed

An error occurred during a connection to creeva.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

The page you are trying to view can not be shown because the authenticity of
the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

I spent a day researching this message, BTW Firefox’s documentation of error message is terrible, hence why it took me a day instead of minutes.   Also Firefox’s documentation is wrong as I would find out later.  After a few days of trying to get this to work I gave up and wrote this off as a lost cause for the moment and focused on other things.

Flash forward to yesterday, I decided to reopen this ticket since again I wanted SSL.  I knew from experience that the shared cerrtificate would not work properly, so I went and generated a free (valid) one from Instant SSL.  I wanted to do this before purchasing my own SSL certificate from Godaddy, just to make sure everything was working properly.   I went through all of the steps and I go thte same error message.  Well I saved the thirteen dollars a valid certificate would have cost, but wasn’t any closer to my end goal of an encrypted WordPress administration section.  I still wanted this so I opened the original ticket back up (tech support hates that BTW) and added the following note:

I’m back to this again – I was considering buying SSL instead of using the
shared cert – but having applied a cert from Comodo – I’m getting the same
error in firefox:

Secure Connection Failed

An error occurred during a connection to creeva.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

The page you are trying to view can not be shown because the authenticity of
the received data could not be verified.

* Please contact the web site owners to inform them of this problem.

If I try Internet Explorer it doesn’t even connect

If I use digicerts SSL checker – http://www.digicert.com/help/ I get this:

DNS resolves ‘creeva.com’ to 69.4.229.212
No certificates were found.
Output from ‘openssl s_client’ command:
13127:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:585: CONNECTED(00000003

Now following godaddy’s instructions it seems I need access to cpanel WHM -
which is somethig from a shared hosting perspective I need you to implement.
Can I get this done – also I’m perfectly fine using a self signed server
generated cert (which is what it currently is right now)

Since I’m not using a shopping cart and I’m only going to use SSL for
maintenance of wordpress, it’s perfectly fine for me to receive the security
exception warning in firefox since it will not be a customer facing error, I
only want the encryption side, not the non-repudiation side of SSL.

Also the instructions you sent me are for Cpanel 11 – currently my account uses
cpanel 10 when I login

For those technical people that understand what I’m trying to accomplish, am I unclear on this?  Please excuse my muddled use of non-repudiation.  Also that stupid Firefox message I stated was vague, well it seems the server wasn’t even completing the connection properly – stupid Firefox error messages.  This is the response I got back:

For installing a dedicated SSL certificate on your domain, you will have to
purchase a static IP(dedicated IP) for your domain. For that you need to
contact our billing department.
After obtaining a static IP, we will assign that IP to your domain. You can
upload  your cert , key and CA bundle  for the site to the server so that we
can install the cert for you.
Also please note that there will be some downtime for the site until the IP
change propagates globally.

Please confirm if you need a static IP for the domain, so that we can forward
this to the concerned department.

Now what part my message did they not understand I did state that I was perfectly fine with an error message, that I wanted to use the shared certificate.   I think I implied fairly well that I would prefer to use the shared certificate, that way I wouldn’t have to actually buy my own.    This is the problem you get into when you do keyword scanning, at least the first guy with broken english understood my question better.  My response:

Like I said in my previous e-mail – I do not need a static IP, nor do I need
a dedicated SSL certificate – I’m fine using the standard shared SSL
certificate – as was/is advertised online that all plans came with a shared
server SSL cert – that is what I would like to use and that is what is not
working.

Maybe they’ve finally understood my issue?

We are checking your query  regarding shared SSL in detail. We will get back to
you with the updates soon.

Soon came about thirty minutes later:

After careful review of this ticket, we have decided that you could be better
assisted in another department within our company.

For this reason, we are transferring your ticket. Please expect a short period
of time where this ticket is not updated, as it is queued up at its
destination.

We make every effort possible to take care of every ticket as quickly as we
can. We will contact you shortly.

Thank you for understanding,

Was was nice enough to leave off the names of their technical support staff.   What I don’t understand is why I have to go to another department – maybe I’m going to the server admins who actually make the changes?  Any time I have an issue it seems that I have to go through a lot of back and forth in the technical support team.   If you techies read my inquiries as unclear, please let me know.   As I get more information I’ll be updating the comments.

Grrrrrrrrrrrrrr

UPDATE – not often I get to update – it seems HTTPS is now working on my domains – well kind of.   I still have more configuration to complete on my side, but it is at least answering now.  Only took thirteen hours.

Image from here

A few weeks ago I wrote about the NYPD want the ability to turn disable cellphone coverage in the case of a terrorist attack. Now it seems that states and local governments are fighting for their own ability to do that.   In my previous story I pointed how fruitless and ineffective it would truly be during a terrorist attack, I think it’s insane.   The question I have now has anyone thought about how this is a terrorist attack against our own people?

The idea of a terrorist is that they use fear as an attack weapon.   If there is an emergency going on and people can not get through to there loved ones that this wouldn’t inspire fear.   Heck it may scare some people if they can’t send a message about the emergency to Twitter or Facebook.  We’ve all seen enough movies that we are ingrained as a people if hte enemy is going to attack they will cut off our communications so we can not coordinate a counter offensive properly.   This is an of it’s self stupid since something will always get through, example Independence Day and the Morse Code maneuver.  Yet this would scare and dare I say terrorize people since not only would you be scared since you can’t call, no one around you can call and is freaking out also.

This is a sad side effect of living in the era of constant communication, we take it for granted.   When it would be ripped away form us, and we wouldn’t know what is going on, what ideas is that going to put in your mind.  People in the middle america may think a cell tower is down, what if they drive an hour – even the most idiotic person isn’t going to think all the towers are down.   Some people may think since I’m saying that the government has an inadvertant take on an idea that could become a terrorist weapon that I’m a nut job.   I however think this is a fairly obvious look at human psychology.

Everyone else is writing about network neutrality today (here, here, and here), so I’m jumping on the bandwagon.   Actually I meant ot write this last night, so since I’m slow and lazy the others beat me to the punch.   Late last night I saw the first posts about Google’s MeasurementLabs sneak across the RSS feeds.  What the tools you can get from that web site do is find out if your ISP is doing any funny stuff to your internet data.

I highly recommend so they can get the broadest picture possible running these tools.   It makes you a good Internet neighbor.

Image from here

The other day I was browsing Craig’s List and noticed a listing for some free software.   It wasn’t anything I was interested in, but I did stop an think about it.   We talk about all the time about verifying where you download software from.   We hear all the time about pirated software that looks the same as legitimate software.     So why would you take free software from Craig’s List?

I guess this is just more an observation.  I’m just pointing out common sense that people should be thinking.  I’m just trying to point out that there is no such thing as a more trustable anonymous source.   It would be easy to compromise a computer by offering free software on Craig’s List and manipulating it before handing it out.

I’m not saying not to take – just think twice.

Image from here

While I don’t really blame NYPD from wanting to evolve and learn from other terrorists attacks, I think they are very short sighted in the idea of  blocking cell phone service in a terrorist attack.   I first read about this story on a Wired.com blog entry, I thought how asinine an idea just reading the headline.

The historical aspect where they are working form is the terrorist attacks in Mumbai that happened last month.   The terrorists used cell phone networks, GPS, and anonymous e-mail to coordinate their attacks.    The NYPD think that if they shut down cell phone coverage in the Big Apple terrorist cells  won’t be able to coordinate attacks in the big city.  There are a few things that they don’t seem to be aware of.   Terrorists are smart in most cases, citizens are ignorant.

We already saw in the Sept. 11th attacks the panic that is caused by the loss of cell  phone service.  If there is another large attack, normal people in NYC will panic, since the communication infrastructure was supposed to be strengthened post 9/11.  If they can’t reach their loved ones, if there isn’t a way to get news in and out, people will panic and make the problem larger then it would be otherwise.   This is just how the normal citizens would react, what about the terrorists.

Well this news has made it to the web, so terrorists can now plan for this eventuality.   They can now be ready to act if their cell phones are blacked out.  Also NYC is the land of open wi-fi hot spots.  Anyone with and sense could easily work with a wifi phone or a laptop and still have communication with one another.   So the next thing they would have to look at is blocking out cellular coverage and all internet access in and out of the city.   This is also if they are not coordinated ahead of time.   This is all a smoke screen to give teh police more power then is needed.

Remember -  “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” ~ Ben Franklin

The recent twitter phishing scam had non twitter users scratching their heads on why this service would be targeted for a phishing scam at all.. Most people view little or no monetary value to twitter accounts. For most people this may actually be true. For people like Scoble or companies that promote themselves over twitter, well the brand name damage caused by a hijacked twitter account could be quite costly.

One of my friends on twitter had a reply about this issue (I’m assuming the other person didn’t realize the long tail potential impact (yes I used the term long tail – get over it)). What I saw was this:

@jeremyasmus could be any number of reasons, spread malware, spam, get passwords, us humans tend to use the same password over and over.

This is the crux of the issue isn’t it? The problem isn’t average user with nine friends directly, it’s the large power users and the passwords for other services. Let’s look at each of these.

Let’s say you are Scoble and your account get’s hijacked. Scoble has a level of trust built from himself, he is known to get the inside scoop on information, people click his links. Scoble has over 47,000 followers. If his account was hijacked and ten percent clicked a link that was really a malware installer – that would be 4,700 people infected within a matter of minutes. I think however the number of Scoble followers would be much larger probable in the 50-60% range. For a malware distribution this is a great return for the time frame, with the added benefit that you may get some other high profile names in the attack.

The cost to deploy such an attack is extremely low – under ten dollars, while the net return would be a few thousand, potentially more. Since there is little risk to getting caught if you know what you are doing, you could make some decent money by exploiting this chain of trust that exists and is protected by a mere password.

Let’s look at the side of this coin, the normal user.  Adam Baldwin nailed it right on the head when he stated “us humans tend to use the same password over and over”. I know I do, though different level of things have different passwords – my banking account does not use the same username/password combination as my twitter account – neener/neener. It is however shared with some other web 2.0 services. Some other people may not be so diligent. This once again is a chain of trust issue. You are trusting the companies that you give your passwords to are truly them, so once your password is in the wild it’s exposed and all of your accounts are open to attack.

Let’s look at the information an attacker can get from you if they have your twitter password:

User Name – while by itself it’s exposing a little bit about your account and your password – the problem lies in having both bits of this information. That part should be blatantly obvious. The issue lies in the fact that most of us use the same username or “handle” across many sites on the web. Doing a Google search for “Creeva” yields over 46,000 hits. A lot of these hits are different services that I play with and over 90% of the hits link back directly to me in some fashion. Since most sites use you username as your login name, if I used the same password every single one of these services would be exposed if I fell for the twitter phising scam.

E-Mail Address – Yes though it maybe only a small amount these days, your e-mail address is still worth a few percentages of a penny to the spammer. This would get you on more mailing lists, and ones that would be quite hard to get off of. It is also normally used as a login name for service that do not use your handle. More accounts have now been exposed because of this. If your e-mail account passwords is the same as your twitter account (dumb mistake) everything about your online life, accounts, and transactions can now be exposed and utilized against you. Would you notice a gmail filter that someone setup to clone every incoming e-mail?

The other issue is even you do not have accounts that show up in a Google search they could use a service search engine such as Spokeo to find accounts even you may have forgotten about.

Mobile Phone Number – This probably would be one of the most annoying things, that your phone number has been exposed to the internet underground. Phone spam, call back charges; there are a few things they can do with this number. I do think this is small annoyance compared to loosing your email account.

Being a good security professional my recommendation is to use strong passwords that are unique to each service and are rotated regularly. I am also a realist and know that you won’t. This may be the time to start doing segmentation where different accounts do get different levels of passwords. This is what I do so if my twitter account was compromised only the services that I consider on par with Twitter security-wise was at risk. Lower level accounts would be safe and higher level accounts would be safe. I also think with the range of accounts, I could move faster then the phishers going through and knowing what to change faster then they could try all 46,000 sites. It’s a thought – now what are yours?

Picture from here

Though I don’t think it’s related to the search engine privacy story, Google has just released a web book for free titled Browser Security Handbook.   Some people are relating to this as Google’s answer to the security (and privacy) issues raised by Chrome.  Others belive it’s a way of giving back to the community based on the way Google looks at these concerns and how they address them.

Currently I’m reading through and thought I would share.   You can go to the project page, download test cases, or read it online.   If you have any interest in this field I suggest you at least do one of them.

Picture from here

Techtree.com in India is reporting that there are privacy concerns with search engines saving your browsing information.   Really?  This was news a few years ago in the US, we know what we are giving them and respect that they will use the information to make their products more marketable.  In turn they will conitnue to give us “free” access to their services, and we should be guarded with what information we give them.   At least the tech and privacy savy user does.

Why I ran across this on Google News this morning I have no idea.   This should be nothing new, yet it makes the news.   Sorry just dealing with a little annoyance in my cereal this morning.

Two weeks ago I wrote that the suspect in that compromised Palin’s Yahoo Mail account was not indicted.   Today Wired is reporting that he has been indicted.  Currently he is facing five years in prison and a $250,000 fine

Read the whole story at Wired News – AP News.

First let’s start with something from Cory Doctorow‘s book Little Brother:

If you ever decide to do something as stupid as build an automatic terrorism detector, here’s a math lesson you need to learn first. It’s called “the paradox of the false positive,” and it’s a doozy.

Say you have a new disease, called Super-AIDS. Only one in a million people gets Super-AIDS. You develop a test for Super-AIDS that’s 99 percent accurate. I mean, 99 percent of the time, it gives the correct result — true if the subject is infected, and false if the subject is healthy. You give the test to a million people.

One in a million people have Super-AIDS. One in a hundred people that you test will generate a “false positive” — the test will say he has Super-AIDS even though he doesn’t. That’s what “99 percent accurate” means: one percent wrong.

What’s one percent of one million?

1,000,000/100 = 10,000

One in a million people has Super-AIDS. If you test a million random people, you’ll probably only find one case of real Super-AIDS. But your test won’t identify one person as having Super-AIDS. It will identify 10,000 people as having it.

Your 99 percent accurate test will perform with 99.99 percent inaccuracy.

That’s the paradox of the false positive. When you try to find something really rare, your test’s accuracy has to match the rarity of the thing you’re looking for. If you’re trying to point at a single pixel on your screen, a sharp pencil is a good pointer: the pencil-tip is a lot smaller (more accurate) than the pixels. But a pencil-tip is no good at pointing at a single atom in your screen. For that, you need a pointer — a test — that’s one atom wide or less at the tip.

This is the paradox of the false positive, and here’s how it applies to terrorism:

Terrorists are really rare. In a city of twenty million like New York, there might be one or two terrorists. Maybe ten of them at the outside. 10/20,000,000 = 0.00005 percent. One twenty-thousandth of a percent.

That’s pretty rare all right. Now, say you’ve got some software that can sift through all the bank-records, or toll-pass records, or public transit records, or phone-call records in the city and catch terrorists 99 percent of the time.

In a pool of twenty million people, a 99 percent accurate test will identify two hundred thousand people as being terrorists. But only ten of them are terrorists. To catch ten bad guys, you have to haul in and investigate two hundred thousand innocent people.

Guess what? Terrorism tests aren’t anywhere close to 99 percent accurate. More like 60 percent accurate. Even 40 percent accurate, sometimes.

What this all meant was that the Department of Homeland Security had set itself up to fail badly. They were trying to spot incredibly rare events — a person is a terrorist — with inaccurate systems.

Now that all being said, DHS has actually build a machine that tests for security threats.   Now if this is put into production you get to be watched everywhere you go and wonder about this machine judging your intent and being pulled over for questioning.

If you would like to read more information on this please read the link below.

‘Pre-crime’ detector shows promise – Short Sharp Science – New Scientist

People in the security world were all pretty sure that users never paid attention to dialog boxes.   Ars Technica printed information about a study performed North Carolina State University that proves that the security professionals were correct.  Most users only want to get rid of the immediate annoyance and don’t read what is happening on their screens.

We already know most people don’t read their end user license agreements – but come on.  How many fake windows dialog banner ads do you need to load and have bad things happen to your computer before you learn.   Unlike other childhood cause and effect lessons, we don’t lear clicking the button is bad like the stove is hot when we get burned.   There is a mantra I’ve always enjoyed, “If Stupidity Can’t Hurt, Then It Should Cost”.   I’m rather happy that most users that click and click and click to punch the monkey or get rid of fake banners hads more then likely spend hundreds of dollars keeping their computer in running order after the spyware has had a field day.   I do feel sorry for their family members that have to fix it for free though……

For More information click the link below (Ars Technica)

Fake popup study sadly confirms most users are idiots

Picture from here

A couple weeks ago I was talking with a friend about an idea for a new web service.   The web service would have you enter in all the services and sites you use and have an account with online, and then send you a twitter alert when the policy changed and it would show you which text changed.  My problem is while I could come up with the design, function, and architecture I couldn’t figure out any way to monetize such a service.  I let it languish and said I would eventually write a blog article on how to roll you own.   This is that article.

The key feature to making this work (obviously) is a service that can monitor website for changes and give you some sort of data trigger outbound that is usable for repurposing.  I know I could use services that would do an RSS feed, but I wanted something more immediate and trustworthy then RSS for this scenario.  I hunted around and I found the service Change Detection that will send send you an email when a web page has changed.

E-Mail Alerts

With e-mail you have a bit more control.   It’s all easy.  If all you want is an e-mail alert put in the policy page into the page address field.   Then place your e-mail address in the “send alert to:” field.   Easy as cake and your done.

Twitter Alerts

What about getting twitter alerts?  The first thing I’ll point out, I’m not a programmer.  I’m sure there are much better ways to do this in much simpler methods.  I have two requirements for myself.   Keep it free, and it keep it in the cloud.   Make the internet do the work for you, it’s always on and online – your computer doesn’t have to be.  So instead of using an Uber-Twitterbot I’m going to utilize a few free service:

1. Change Detection -Configure the privacy page you want to monitor the same way in section for getting email alerts.  Instead of relying on the emails for notification, change detection allows you to create an RSS feed for each page you are monitoring.

3. Twitter – Setup a new twitter account that you can friend.  If you worried about privacy (people knowing which sites you are watching), set the updates to be protected so only “friends” can see them.   Have the alert twitter account friend you, log out and friend the account back with your main twitter account.

4. Twitterfeed -Take the feed from change detection, pipe it through twitterfeed so it will put update notifications to your “alert account”.   Now whenever anything has changed you can watch updates from that account and you’ll have almost real time monitoring of any web page.

Picture from here

Ars Technica is reporting that a school in Pennsyvania has suspended 2 students for creating a Myspace profile of their principal mocking him.  A federal judge upheld this ruling when they were sued by one of the students for suspending them for something they created on their own time outside of school.   Personally I find this disturbing on two fields.

The first I want to bring up is parody.  I’m not sure why they didn’t take the parody defense.   To their non-target audience I’m sure the language and style they used was reprehensible, and to the school district bordering in libel.   I however remember what it was like being a teenager, a time period that most adults don’t allow themselves to identify with once they age past it.  The key thing they need ot look at is the target audience.   It wouldn’t be truly fair to have a trial of teenagers to be judged by their “peers” and have the jury made up of people older then 25.   That seems to be the tipping point when the social norms of the next high school generation are lost on the adults.   The language is different.  The clothing is different.   The attitudes are different.  Unless a similar mindset can be understood by the jury, the teenager will loose almost every time in a “Damn kids don’t respect anything” moment.  I think parody would have been the correct defense.

Now let’s look at the freedom of speech angle.  There is quite a few that feel like I do that the traditional schooling these days is to extinguish individual thought and bring people around to “group think”.  We all have our moments when we feel group think is a good thing, most of that time is when group think agrees with what we are thinking.   However when a student has individual thought they seem to get punished.  About eight years ago my sister was almost suspended for going to school with pink hair.   The problem was that “it was a distraction” – really?  Life is all about distraction and things that block you from achieving your goals.   Work through it.   She (nor the boys in question from the beginning argument) hurt or threatened the life or welfare of those around them.   Even then it should be either handled by the police or if it happened in school, by the police and the school.

One of the arguments the defense used was that though the boys wrote the information outside of school, it was targeted at students in it.  Duh!  Almost the whole of their society is wrapped up in school.  They don’t really live work and interact within the community.  Their peer and focus groups are almost all inclusively within that school.  Of course it’s going to be their target audience.  The same way that writing an OP-Ed piece for the local community newspaper is targeted at that community.  It doesn’t matter if the person that wrote the piece technically lives outside the city borders, it’s still valid.  They are addressing their peer group.  What we have now is we are creating a society where it is considered to mock or question public figures.  If their are repercussions outside of the normal legal channels, students then gain a greater fear of authority then they should have.

Like work, there needs to be a seperation between a students personal lives and their work lives.   What I do on my own time is none of my works business.  When I am at work it is completely their business and I have to deal with anything that stems out of my decisions from there.   If this case was going after the libel or slander side of the coin, which is where it should have gone, it should not have been handled by removing the children from the school.  It should have been settled in the courts and outside of the venue of schools.   The biggest issue is while if I do something egregious outside of work that can have a negative effect on the company, I can get fired.  Schools however should not be allowed to fire or punish students on things that take place outside of their borders of jurisdiction, which end at the edge of school property.

Picture from here.

We’ve all read the articles flying around online over the last couple months about your data being confiscated at the border and analyzed by the border patrol.  The simplest solution of course is sending your data across the internet if you have to go through a border crossing and your worried about your data being compromised (cloud computing FTW).  The next best solution is using True Crypt and using a real encrypted volume and a hidden volume.   You risk having to disclose your encryption keys to unlock our visible volume, and with hidden encrypted partitions becoming a common theory, they may be on to you.

So what about hiding data in plain site?

Got a text document you need to hide – find a software that can take all the words in the document – produce a random word file and mixes up the words but all the words are still legible with alot of chaff words included.   If it’s named something like dictionary output 1.txt,  dictionary output 2.txt, etc. etc.   Make sure you carry a copy that can undo this in your webmail account where you can get at this and make the files usable after the fact.

Images?   Those kinky pictures that you felt you had to take with you and you couldn’t bear to mail to yourself in an encrypted fashion?   Well that’s a bit easier.   They are looking for image files on our drive (extensions don’t matter so don’t think you can get by using hte method of renaming your .jpg to .gpj’s).   You can however convert your files into photoshop or gimp formats and use layers.   Take your illicit pictures and put them as a bottom layer in your new image file.   Then on top of that add some other images as other layers.   When they open up the files in gimp, they are unlikely to go through all the layers looking for pornaography.   Bonus points if you use stenography and, hide that data in a picture – then using layers to obfuscate the data further.

These were just some ideas off the top of my head, I’m not leaving the country any time soon.  If I was, I would be transmitting all of my data encrypted across the internet.   If trusting the network is too much for you, your welcome to try these methods.  Your mileage may vary.