Hacking as portrayed in TV and film

From the Sublime to the Ridiculous Department:

Swordfish, Spooks, NCIS, CSI: they’ve all portrayed the hacker as someone who rattles his fingers over a keyboard for thirty seconds, and voila! A brilliant hack occurs!

Some depictions are very cool: the wave-your-hands interface in Minority Report, or the SSHNuke exploit Trinity performs in the Matrix movies (while wearing gloves – now is that uber-cool or what). But lots are just silly. Check out this NakedSecurity article: http://nakedsecurity.sophos.com/2012/01/31/viruses-hacking-tv-movies/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=eb00243764-naked%252Bsecurity

Chinese components in American military uses: should we trust them?

Electronics are complicated. Software, even more so. So when you’re buying electronic components from your biggest trade competitor, one with overt military agendas, should you worry about what might be “tagging along” with that hardware or software? How about when sensitive data is moved to the cloud as a cost-cutting measure?

“Our clouds are running off of hardware that’s built in China,” said Tom McAndrew, an executive at IT compliance firm Coalfire who also is a Navy Reserve surface warfare officer specializing in weapons systems. He was not speaking on behalf of the Pentagon. “The challenge is — can you create a secure cloud running on top of nonstandardized, noncertified hardware?”

Lawmakers have warned of a nightmare situation where bad actors intentionally install a “backdoor” mechanism — essentially malicious programming — into military circuitry to, for example, shut down systems remotely or leak information.

Read the whole story at http://www.nextgov.com/nextgov/ng_20120106_5015.php?oref=topstory

Windows Automated Installation Kit (AIK) for Windows 7 and Server 2008

Installing and deploying workstations or servers at enterprise scale has never really been all that fun, despite plenty of tools to create system images, perform unattended installations, and so forth. Windows Vista and 7 made the game harder, with hoops to jump through if you want to Ghost a golden image.

Which makes me very interested in the Windows AIK for Windows 7 and Server 2008 R2. You can down load this tool at http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5753

If you get a chance to try it too, drop me a note and tell me how it works for you. Lots of us will be interested.

Codeacademy lets anyone write programming tutorials

Codeacademy has a great idea going: that more people should know how to code. Their main site is Codecademy.com, and they also run a terrific project called CodeYear, at CodeYear.com. (One of the fascinating quotes from famous business people on that site: “If you want to invest two years in something that will help you, you would do better to learn how to hack than get an MBA.” Really.)

The problem has been that the lessons have been too few, and sometimes too fast-paced, because only staffers and invited contributors could create them.

Until now. Codeacademy has launched Codeacademy Course Creator, which allows any knowledgeable coder to contribute.

Why would we want to? For the exposure. I can personally testify that simply having your name spread all over the place will bring you an amazing variety of interesting opportunities. And if you’re acknowledged as a truly great coder, Codeacademy promises to offer “significant explosure”.

See this article: http://techcrunch.com/2012/01/30/codecademy-becomes-a-platform-now-anyone-can-write-programming-tutorials/?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+hackernewsyc+%28Hacker+News+YC%29

Hurrah for the Netherlands, where Net Neutrality is now Law!

You’d have to have your head buried on some faraway beach not to be aware of the recent debates in the US about Net Neutrality, the idea that all traffic should be treated equally. I used to use the example of Comcast deciding to block Netflix over their cable network – until Comcast actually did it! And got sued, of course.

There has been a lot of deliberate muddying of the waters on this subject, with telecoms claiming they need the right to restrict in order to survive. Consumers are not so sure about this idea. Enter the Netherlands:

Net neutrality is controversial around the world, with heated discussions on the subject taking place in the United States, Europe and many other regions.

The idea it enshrines is that all internet traffic should be treated equally, regardless of its type – be it video, audio, e-mail, or the text of a web page.

However, ISPs said they need to discriminate because unchecked traffic from some applications, such as games or file-sharing programs, can slow down their entire network for all customers.

As a result many ISPs throttle, block or charge extra for many bandwidth hungry applications and content.

This has become an issue for content creators, who do not want to have a two-tier internet and would like users to enjoy whatever they produce in the best way possible.

Read the whole article at http://www.bbc.co.uk/news/technology-13886440?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+hackernewsyc+%28Hacker+News+YC%29

Department of State condemns Iran for doing to Iranians what NSA does to Americans

Department of State, meet the National Security Agency. Left hand, meet the right.

Because, dear Department, you want to investigate Chinese firm Huawei for providing technology to Iran that allows the government to monitor and track Iranians through their cell phones.

The Department of State “shares the concern of any potential export of technology to Iran that is to be used specifically to disrupt, monitor or suppress communication of the people of Iran,” said department spokeswoman Beth Gosselin in an email.

You might want to take a look at what’s going on at home. The NSA has testified before the Senate that it tracks Americans via their cell phones (http://www.infowars.com/nsa-admits-it-tracks-americans-via-cell-phones/). This is not comforting news, at least to Americans.

And there seems to be a nasty little back door/root kit called CarrierIQ that’s prevalent on smart phones, too (http://www.engadget.com/2011/12/01/carrier-iq-what-it-is-what-it-isnt-and-what-you-need-to/) that’s such a nasty security risk smart users are tearing it out (http://techcrunch.com/2011/12/01/carrier-iq-how-to-find-it-and-how-to-deal-with-it/).

This one appears to be a blatant violation of federal wiretap law, but I’m not a lawyer, so don’t take it from me (see http://www.forbes.com/sites/andygreenberg/2011/11/30/phone-rootkit-carrier-iq-may-have-violated-wiretap-law-in-millions-of-cases/). But just a question: if any federal agencies used these phones, isn’t there a little problem?

So there certainly does seem to be a great deal of wiretapping, monitoring and tracking going on already right here in the good old U.S. of A. You might want to coordinate with the NSA so it’s not so embarrassing when you condemn totalitarian theocracies for doing to their citizens what our government is already doing to us, and allowing our telecoms to do to us as well.

Trust and Google’s Privacy Policy

Google, some have argued, knows more about you than your wife or husband. And now all the things they know about you from various locations (what maps you’ve used, what documents you’ve shared, what your certainly-not-private email contains, what porn you’ve surfed, for what you’ve searched) are conveniently gathered in one location, and all integrated into Google’s Digital You. Any time you are logged into or using any Google service, Google is watching you.

This is a lot to ask, in terms of the trust they want me to give them. I’m going to apply a very much simplified version of an ISECOM trust analysis on this situation, and try to arrive at some sort of trust decision.

The ten trust properties prescribed by ISECOM:

  • Size. How many people am I trusting with my Google Digital Doppelganger? The number is huge. Huge. Primarily people who want to sell me something. But not ordinary people, not yet, though that prospect makes me leery. All this makes risk large, and trust small. Minus one.
  • Symmetry. Is the trust two-way? If it’s not, then there is room for abuse. So is Google going to allow me to see personal information about the corporation? No. Is Google even going to allow me to see “what they’ve got on me”? No. Minus one.
  • Transparency. How open is Google in general? Not. Will they openly share their data about me, which is essentially MY stuff, like my car is my stuff? No. Minus one.
  • Control. Who, exactly, controls the data? Google. Can I get data about me erased or corrected? Essentially, no. So who is in (total) control? Google. Minus one.
  • Consistency. Does Google have a consistent record of protecting data privacy? Well, getting hacked by the Chinese so they could root out dissidents wasn’t exactly a stellar example. And Google has indeed bowed to the governments both here and overseas and surrendered data. So the answer is no, and the point is minus one.
  • Integrity. Is Google today what Google once was? Not so much. Is that cause for alarm? Good question. More accurately, does Google provide timely notice of changes, like their notice of this change of policy? Actually, they are relatively good at this. Plus one.
  • Offsets. Is Google going to pay when my data is compromised? Are they offering me any financial guarantees? Because they’re certainly bringing me risk. Minus one.
  • Value of Reward. Does Google offer me something valuable? Absolutely they do, in many areas. Plus one.
  • Components. What are the things that gather, store and update information about me? How many of them are there? Because the more, the riskier. Minus one.
  • Porosity. How far is my Digital Doppelganger, within Google, separated from the external Internet? Possibly, it’s well isolated. But how well is my Digital Doppelganger separated from paying clients of Google (not of mine)? It’s not: it is precisely to them it is available. Minus one.

Ultimately I arrive at a minus six, a low enough level that my willingness to trust Google is quite small. I’ll be reluctant to log into my cursory Google+ account again, and certainly I won’t do Gmail. I don’t mind using Google maps, since I do so very rarely. But I darn sure won’t use Google Docs, nor would I suggest that a client do so. That is, however, their trust decision.

As for me, now it’s time to take a look at Facebook. And LinkedIn. And so forth. Because my Digital Doppelganger belongs to me, the same way my car belongs to me. Don’t ask to borrow it, then wreck it, please.

Proposed European Privacy Rules: Good for the Individual, Bad for Business?

The issue of data privacy is going to be a big, tough, chewy lump of raw meat. People are going to fight over it, but nobody really wants to eat it.

If you’re a company doing business overseas – and if you’re online, you’re overseas – then you will have to comply with these rules as regards European users. That means, for all intents, you’ll have to implement data protection and privacy measures, period.

This may drive business from Europe, at least businesses for whom an Internet presence is also an element; at least that’s the theory. It’s certainly true that the previous round of laws were designed to encourage Internet growth; now the shoe’s on the other foot. How do you implement a “right to be forgotten”?

The new Regulation signals that the tide has turned. The 1995 Directive focused on building the online economy, and favouring businesses large and small to expand and grow, while the 2012 Regulation will reverse the fortunes for businesses and focus on European end users.

Internet companies will have to seek explicit consent from its users to use data about them, including when it is being collected, told for how long it will be stored, and for what purpose it is being used for.

Read this story at http://www.zdnet.com/blog/london/how-the-new-european-data-law-will-affect-us-companies/2608?tag=nl.e550