Security
PSN Hacked
The PS3′s security is in the news again, this time with the PlayStation Network. Those of you who spend time on it have no doubt heard by now that the network was compromised, and was shut down as a result.
There’s been a lot floating around on the rumor mill, both as a result of speculation and the deafening silence coming out of Sony. I’ll try and explain why this is probably the case.
In the beginning of any incident, the amount of knowledge known is little. Something, somewhere, alerted Sony to the fact that a breach had taken place. And by breach, we mean any successful penetration of the security perimeter (the line demarcating where Sony’s control over their network infrastructure ends.) It is not:
- An nmap scan against their firewall. That sorta thing happens all of the time, and is outside their perimeter.
- Buying things off of PSN with a stolen credit card. (That’s another problem entirely.)
A breach means that someone was able to gain access to a device or devices in a way that they shouldn’t have had permission to do. That’s it. At that point, Sony is in incident response procedures.
It’s important to make that note because once it’s been determine that an illegal entry has taken place, (and it is illegal.) then it’s absolutely essential that they do things by the book. At the point that they know they’ve been compromised, care must not only be given to finding out exactly what happened, but preserving that information in such a way as it can be used in a criminal investigation later. There are also legal obligations of reporting and notification that are required if say, personal or financial information is comprimised, and only with detailed informaton on hand can those be fully met.
Sony’s take down of the system was a wise move in that regard, because it enabled them to freeze the state of their system so that they could conduct their investigation without worry of the system being further modified by either the attacker or through normal operation. Much like preserving the scene of a crime, proper incident response requires the system owner to freeze the system state so they can be confidant that the system has been unchanged since the time the breach was discovered.
Once that is done, there’s tons of questions to be answered. Keep in mind, at this point, all the system owner knows is that the system was in some way compromised. There’s questions to be answered:
- What information was accessed? What wasn’t?
- How was it accessed?
- Who did it?
Note my numbering here. “who” is placed last. While this is no doubt important, the primary concern will be to determine if sensitive information was compromised and how. Maybe the attacker was able to log into an authentication server, but was unable to access the database containing personal information? Maybe he was able to access that as well? These questions are important in determining the actual risk incurred, the amount of work needed to be done to clean up or mitigate the breach, as well as identifying later what worked and what didn’t.
To figure out what the attacker accessed means tracing back from the point of entry every action the attacker did. Much like a detective will try to determine the events of a crime, the computer forensics team will need to determine what was accessed, when, and how. To do so means combing through tons of logs, ACLs, and any errors or alerts that fired. This could be made easier or harder depending on the level of logging they had configured and any systems they had in place to aid in this process. Maybe logging was configured on all devices, or only some? What events were being logged, and were any not being logged that would be essential later? Is there any sort of log aggregation device that is being used (syslog) or do they have to be collected individually? Are there any parsing tools being used that will help in sifting through the data, or does it all have to be combed through by hand? Did the attacker access the logs, and in that case, can they be trusted? All of these things will determine the speed and accuracy by which Sony will be able to determine what happened and how.
At this point, Sony has determined that personal information was compromised (see their FAQ) and is in the process of trying to find out conclusively if financial information was gained as well. Depending on the answers to the questions above, they may or may not be able to say so with certainty. In this case, assume “worse case”, that the attacker obtained it.
Unfortunately, we won’t know any more unless Sony releases their “After-action” or “Lesson’s learned” reports after the fact. This, while no doubt helpful to the security community and other organizations seeking to avoid a repeat, will most likely paint Sony in an unflattering light. It’s for that reason that we rarely see those kinds of disclosures, the lessons are never shared, and why this sort of event gets repeated so many times for so many businesses. Any guesses as to how the attacker purported the attack will likely remain unknown for a long time, unless authorities actually succeed in bringing him to justice.
There’s little point in speculating as to how the breach occurred. While most of rumors have pointed towards an entry through the PlayStation itself or some other method through the PSN authentication servers, it’s by no means limited to that. Nor is it necessarily the work of even an external attacker (though Sony alludes to this.) Nevertheless, I will engage on a bit of speculation on my own and suggest that someone did get through “the front door” as it were, given the poor security of the console and the hacking community’s repeated abilities to authenticate to PSN with hacked and comprimised consoles. We’ve seen other instances of poor key management and lax authentication from the PS3 design, and it’s not hard to speculate that some of this carried over into the PSN’s design.
If this were the case, (and do make note of the “if”, as this is entirely speculation here) then it calls into question what sort of protections exist between the public-facing PSN servers, and the back-end payment processing and database servers that house customer information. It’s been my experience in the past at least that it’s all common for many system owners to throw a firewall and SSL on the front end, and call it done. Defense-in-depth is key. And even in places where a DMZ does exist (firewalls in both front and behind your public facing servers), they’re not always configured correctly. And your databases still need to be hardened and configured for least-privilege. There’s a tendency for things to be lax on the back end, with the argument that “no one should be back here anyways”. That may be true, but that doesn’t mean that someone won’t be eventually, and those successive lines will be the difference between reporting a breach of your DMZ and calling it a day, and reporting the leak of 70 million plus records. =P
The other talk has been of “why”, and why has Sony made themselves such a target. Why not Microsoft or some other?
Certainly, XBox live could have been the target of something like this, and it’s entirely speculative as to whether or not their service is better hardened against this sort of thing. I’m inclined to think that perhaps it is, given their tendency to deploy their own solutions in-house before helping their customers do the same.
But more importantly, Sony has made themselves a target. The PS3, when released, was billed as a “do everything” console, and in addition to being an entertainment console, it was built to resemble a hacker’s dream: It used an exotic, but open and well supported foundation in the form of the Cell processor for which there were plenty of APIs and compilers available, and it readily supported the installation of other operation systems and applications.
The problem here for Sony though was that selling an open console did not fit with their strategy of being an exclusive provider of the buyer’s media and applications. Piracy no doubt played a role in this as well, but in the process of stamping that out, they also shut the door on thousands of people who bought the platform for it’s homebrew and hacking applications. This is combined with the fact that it’s hard to justify paying for Sony applications and services when it’s entirely possible to throw your own operating system on the machine and gain those abilities through an independent channel. Sony does not make money on selling you just the console, and so this is a losing proposition for them.
So Sony has been in a losing position due to trying to sell and support a console that is built for a purpose other than their business strategy. The 360 suffers from none of these issues, because it was never an open platform to begin with. Microsoft’s console strategy is no different than Sony’s, but becuase it was never a viable platform for homebrew to begin with, it never raised people’s hopes enough to begin with.
It’s worth mentioning that the Kinect is an entirely different scenario, but Microsoft no doubt makes money on the sale of each of these devices, and so it is entirely fine with providing them to anyone who wants to do something with it. Consoles on the other hand, make their money through the sale of games and services, not from the console themselves, and so anything that breaks the model of ensuring that consumers buy from only the services provided by the console vendor makes selling them a losing proposition.
This model is contradictory to the model by which most people are used to buying things, in which the item becomes yours and yours to do with as you please once you’ve purchased it. This has been the expectation of those who bought the PS3 console in particular. Sony’s model however, is built on the idea that you’ve instead paid to license the console from them, and they dictate what you can and can not do with it. This is no different than Microsoft or Nintendo’s model, but by raising the ire of the community by going out of their way to promise and deliver an open platform, only to take it away a couple of years later, has made them the target of the community’s ire, with attacks such as this one.
Your PS3 is not transmitting in the clear…
There’s a PDF going around today that’s been getting a lot of attention in claiming that Sony is transmitting user information in the clear:
Unfortunately, the paper is loaded with irrelevant information, dubious claims, and poor understanding of internet transactions. But there is a little nugget of good information in here, which I’ve tried to pick out.
The section on “sensitive information” seems to contain a lot of filler, and doesn’t make too much sense. He claims that Sony uses HTTPS/SSL, but that this “isn’t good enough”. He then goes off topic about how Sony is a large network and that the IP addresses of this large network are all publicly accessible. This is all true, but does not contribute to his argument that the information is not secure. But he does seem to insinuate that there’s a way to phish user data, partictuarly in his mention of SSL, custom certificates, and third-party DNS servers.
Let’s look at the HTTPS/SSL issue.
When an SSL session is negotiated by your PS3 with Sony’s servers, you fetch a certificate from the PS3 server that is authenticated against a CA, verifying that the server claims to be who it says it is. In that certificate is the server’s public key, which is used by the client to encrypt information to send to it. Information cannot be decrypted by the public key, only by the server’s private key, which only it possesses.
So the information being sent to Sony is encrypted, and it’s using SSL, the accepted standard for banks, remote terminal sessions, your gmail, and generally anything else of importance. There are no current flaws in this protocol when implemented correctly.
The ability to forge a client certificate on the PS3 weakens this somewhat, but not directly, and the paper fails to describe this. But I think I can identify what he’s trying to get at.
The PS3 needs to have a trusted root certificate from a Certifying Authority (CA) stored in the console in order to verify that when contacted by a system claiming to be a Sony PSN server, it can verify that is really is a PSN server. (This is the same mechanism that identifies your bank to be who they claim to be.) The ability to create custom firmware (CFW) means that a hacker could distribute a CFW that possesses an altered, additional, or different trusted root CA.
Recall whenever your web browser gave you an alert upon finding an expired certificate, or probably more appropriately, a self-signed certificate. If you’re using HTTPS on a home router, you probably have one of these. Since there is no pre-loaded root CA on your system, you need to decide if you can trust it yourself.
By having a CFW loaded, you’re never prompted for this, and unless you audit the code yourself, you won’t know if there’s other root certificates loaded. Any that are loaded are assumed trusted.
Here’s where we get to the “third-party DNS” that he mentions. Assuming you’re not running your own DNS server (to say nothing of if it’s secured) it is possible that the DNS server you connect to could be spoofed to identify a Sony PSN server’s host name as a different IP. At that point, assuming you’re running a CFW that has a crafted root CA loaded, the PS3 will recieve the spoofed address, the altered certificate will identify the server as legitimate, and a connection will be established. Voila, your information is being sent.
So the short of this:
Your information is not being sent in the clear, but is being sent via industry standard HTTPS/SSL.
For an attack to succeed:
- An attacker must persuade you to load a CFW that has a self-signed root certificate loaded on it
- The attacker must successfully poison the DNS cache of a DNS server that YOU use
- The attacker must then wait/hope/pray that you connect to the server he spoofed so that you can authenticate to him.
That, ladies and gentlemen, is a pretty tall order, though it’s by no means implausible. But it is the sort of issue that gets a lot of attention these days (and is a large part of the reason why certificate validation has become so visible in web browsers as of late.)
Of course, it could certainly be a lot simpler than that. If we can convince someone to load our custom firmware, why not have it contact our servers directly? We could dispense with SSL all together, install our own application data, and pull all of the information we want directly. A CFW allows the writer of it to exercise control of the system if he/she wanted to, just like the writer of a trojan or rootkit gives an attacker control over a PC.
So if you’re not using a CFW, then you’re pretty safe. If you are, then you need to ensure that no other forged or crafted root CAs exist, and that you are using a relativity secure DNS server. In my opinion, any DNS server by a major ISP should be more than sufficient.
If Sony has a good argument for persuading people not to use a CFW, then it’s this one here. Remember the tenant of security: “If a bad guy can persuade you to run his code on your computer, then it’s not your computer anymore”. PS3 hackers are suddenly discovering this. With root access, you can see a lot that you couldn’t previously. Would they be just as surprised to know that this very same information is sent to your bank, or Paypal, or WoW account, every time you use your PC?
I am just as excited as most at the possibilities of running custom code on the PS3 hardware. But with such power comes responsibility, as well as danger. Always ask yourself if you trust the source of your software, and what mitigation are in place. For CFW, those mitigation’s could be few indeed. Keep your personal information off a cracked PS3, and if feasible, off the internet entirely. I have no doubt that Sony will find ways to keep cracked PS3s off PlayStation Network for good, so there’s little to lose here. The important thing is to recognize the risks that follow a CFW, and act accordingly.
(Parts of this post were originally posted here, comments, page 3)
Letter to Congress on security
As promised, the text of the email I wrote to the Honorable Jim Webb, Mark Warner, and Gerry Connolly, Senators and Representative, respectivally:
———————————————————————–
Dear Sirs,
I am writing to you to share some of my concerns regarding recent decisions with regards to airline security and the general security approach of the United States in general.
Starting sometime after the discovery of bombs hidden in printers aboard cargo planes, the Department of Homeland Security through the TSA decided to implement full-body scanners and pat-down searches at all airports. Whatever the misconceptions and notions surrounding these techniques, I fail to comprehend the cause and effect between the attempted delivery method and the countermeasures used.
More importantly however, I am increasingly disturbed by the increasing willingness to infringe on privacy, courtesy, and respect, in the attempt to make us “safer”. It is my opinion that these measures are not only ineffective, but insulting to a society that supposedly prides itself on it’s freedom and liberty.
Throughout our history, we have trumpeted our ability to stand up to hostile action and adversity, and resist intimidation, fear, and danger in order to preserve the fact that our nation was created around common virtues, and not some racial or geopolitical basis. Our founders espoused mottoes such as “Give me freedom or give me death!” and “Live free or die.” to illustrate the fact that they believed that it was better to risk one’s life as a free man than to guarantee safety under oppression.
It is not an easy thing to be able to stand tall and say “I accept the risk” when such horrific implements can be used against us. But that’s just what we as Americans have done in the past, and has given us a reputation of bravery towards our ideals.
Our intelligence and police agencies continue to do their best to sniff out plots, worth together, and investigate wrongdoing. In every reported instance, we have either thwarted or quickly responded to every attempted act of terrorism, often through good old-fashioned detective work. This has shown to be a proven and effective method of dealing with the threats we face while maintaining a free and civil city, and we should continue to support these people where we can.
There will always be a residual risk however, one will, invariably, get through. It is in these times in which our fellow citizens, not our soldiers or police, will be tested. And just as those citizens in history decided it was better to risk their lives in war than live under oppression, so do we need to accept a degree of risk, however minute, in order to live according to the freedoms and liberties we all desire and espouse, that so many gave their lives for centuries ago.
Our world is in many ways, safer than it has ever been. Our time-tested and honed methods keep the likely-hood of being affected by such an attack to a tiny amount. It is up to us ordinary citizens to carry the rest, to resist the urge to investigate our neighbors, to spy on their conversations, to search them in public without probable cause. I ask you to help set this example and do your best to repeal these practices, and remind the rest of the world what it truly means to live in a free society.
Thank you for your time.
~Chris Kozlowski
The Price of Freedom
“Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.”
-Benjamin Franklin
I often wrestled with the above statement, re-quoted so many times by so many people in the face of any security argument. In the urge to “connect the dots” after 9/11, I often wondered what Ben Franklin would have thought of his now famous statement. Would he still agree? Is it too much to ask to purchase a little safety?
The world we live in today is much different from that 234 years ago to the day. We live in a time of magic and awe. Six billion people inhabit this planet, many of them able to share their thoughts and ideas with millions of others instantly regardless of distance or location. We are able to send anyone or anything anywhere on the globe within 24 hours. A butterfly flapping it’s wings in Africa may be able to eventually spawn a hurricane in the north Atlantic, but that’s nothing compared to the speed of an email or Twitter wave.
Never before has the world been so open and interconnected, and every day the lives of thousands everywhere gets incrementally better as the walls that held back human progress in the remote locations of the world come crumbling down. Yet the same mechanisms that whisk thoughts and goods and people from place to place also send threats and malcontent over the same channels. Some are terrified at the rapid changes in people’s lives, and are driven to violence. Others believe that the rest of the world should stay as it is, that we should build the walls again, and leave the rest to it’s machinations.
To the latter group, it is a fool’s wish. The world will never close up again. And it is here we find ourselves today.
I wondered what Ben Franklin would have said. If we were not to give up liberty for security, then were we to give up security? Would it be inevitable that people would be bossed and shoved around? Terrorized? Harmed? Killed? Who would advocate this? No, I thought, people were being too thin-skinned. It doesn’t matter if the FBI or so is reading your email, they’re not out to get you anyways. An extra security line here or there to check for bombs is fine. The nation got it’s fill of seeing people jump out of skyscrapers to their deaths to avoid being burned alive, and we would all toughen up to avoid having to go through that ordeal again.
I thought this for a while, until I passed a New Hampshire license plate.
It’s been said so much from such an early time that the words became meaningless to me, and yet one day, driving down the interstate, it clicked. There was a time, when people didn’t have a say in how their affairs were run. They were forced to pledge loyalty to some guy an ocean away, who didn’t give a shit about them unless the taxes we note being paid. People were tried and convicted in mock courts, under laws that were suspended at will, and where death by hanging could be the penalty for a trivial offense.
The people who endured this chose not to fall in line, but rather, they declared war.
The statements “Live Free or Die”, “Give Me Liberty, or Give Me Death!” are quotes that are referred to often. They were spoken by ordinary men who were fully willing to embrace the threat of harm to ensure the right to live as they pleased. A terrible conflict ensued, and thousands perished.
We honor this day and others during the year and speak to those days when those citizens before us decided enough was enough and they would be terrorized no longer. We celebrate, rightfully, what was a monumental occasion.
It has been over two centuries since that conflict. But these days I feel that sentiment, the lessons from that struggle, are more relevant than ever. Our world holds untold promise and prosperity, but also new threats and dangers. We face risks and read about horrors that the founding fathers never would have imagined.
Many in this country think we should do everything we can to protect our citizens from every conceivable threat and attack. This is a laudable, if unrealistic, aim. Nevertheless, we try. But in doing so we often erode those liberties the founding fathers spoke of. We read email, install full body scanners, take off our shoes at airports. You can no longer photograph some buildings or officials, for fear of undertaking reconnaissance. Some declare that the constitution should no longer apply to those accused of terrorism, U.S. citizen or not.
Those in the security business would tell you that these measures work to a marginal extent. A determined attacker will get through eventually. However, many would argue that any measurable increase in security is worth the price.
The founding fathers would disagree.
No one would argue the need for practical measures, for vigilance, for a strong military and law enforcement. But the day will arrive, occasionally, where harm is done or lives are lost. And it is we, the ordinary U.S. citizen, who must remember that it is the price we pay for enjoying such little interference in our affairs, for the right to do as we please while upholding the rights of others, for the right to choose, to speak out, to condone and complain.
We are not defenseless. Bravery, ingenuity, cleverness, and tenacity continue to protect this nation of 300 million every day. We are not on the verge of being annihilated, and we were wise to structure our government in such a way in that we rely on no one man or family for continuity. Our military, our intelligence agencies, federal and local police, all of our lines of defense filter and stop so much. But there is a threshold at which point security begins to trump liberty, and it is there where we must accept that residual risk and bear the burden ourselves, as the revolutionaries once promised to do, and did.
Have a happy 4th of July everyone. =)
Cyber Command
I was reading over Schneier’s blog on the recent hearings for Lt. Gen. Alexander’s nomination to head the US Cyber Command, which would be a new unified DoD command to address IA issues, both offensive and defensive. Reading through Schneier’s comments and those who replied to his post, I was a bit taken aback.
I didn’t find anything in his remarks that are particularly alarming, (the comment that DHS and the FBI would be the primary agency to address domestic IA issues spoke volumes to his views on his command’s AOR) but lots of snide comments from the peanut gallery that somehow, the military is wasting it’s time and that the threat to DoD information assurance is somehow a myth.
Granted, DoD, just like a private organization, is loathe to acknowledge when they’ve been compromised, but most readers here I’m sure would recognize that it’s occurred many times in the past. So I’m a bit puzzled when DoD starts discussing a unified command to deal with these issues that they’re met with ridicule.
There is justifiable and wholly appropriate questions being asked on just how DoD intends to defend it’s networks, and they and outside individuals correctly recognize that the nature of the internet means that threats will originate from inside and out, across a myriad of state lines, sovereignties, various agencies and organizations. People have a right to know how DoD will respond in these cases, but don’t be surprised or offended if they come knocking.
Government agencies, which control VAST networks handling everything from taxes to health care and military communications is starting to finally get serious about network security, and they need our help. (They can start by dropping the “cyber” part of their name. =P ) But the cries of “BULLSHIT”, “Buy American!” and “wahhh! Wiretapping!!!” echo Tea Party-like cries of boogymen and conspiracies that are not there.
Be concerned. Question, critique. But please, don’t expect them to sit back and do nothing while they’re getting lambasted online and off. The Government moves much slower than we’d all like them to, but at least we’re starting somewhere. The Cybersecurity Act and this command are at least a starting point. The former got lots of good input and revision before it was done. We can do the same here.
P.S. Everyone knows what a probe is. (Hint, it’s not just a ping sweep.) No, he didn’t spell it out for the congressmen in the room, and he didn’t need to. Remember, these people interviewing him send “internets” to one another. =P
Pwn2Miss the point.
There’s been a lot of coverage on the Pwn2Own event, in which various browsers are hacked in seemingly under 3 seconds.
My friend Ken had a really excellent analogy.
“that would be like saying someone ran the new york marathon in 12 hours, implying anyone can do it that quickly. But forgetting the years of training it would take to build up that endurance. ”
The media never assumes that someone just wanders up to the starting line on a whim and cranks out a record time. So why is it always misreported that it took these researchers cracked a browser in so many seconds? They didn’t hack the browser in 3 seconds, the 3 seconds was the time it took to execute the script they spent the previous year creating. =P
Trusting SSL
New School has a recap and a commentary on the disclosure of an internet appliance that can be used to eavesdrop on HTTPS communications. That is, web applications such as banking, e-mail, commerce, and the like.
Before anyone panics, it’s not a hack, exploit, or otherwise. Actually the box itself doesn’t do much at all. The device relies on a certificate authority to forge a certificate of a legitimate website (The CA having assigned the certificate in the first place) so that the box will appear, for all intents and purposes, to be the actual site. Man in the middle.
What New School does a good job of pointing out is that this is not, as stated above, an exploit or hack, but a breakdown in trust. The company that markets the device does so to law enforcement and intelligence agencies, and I have no reason to suspect that they have not been able to convince a CA to forge a certificate for them on request. The fault lies soley with the CA that created the forged certificate that allowed the appliance to appear as the legitimate site. (s0mething digital certificates were designed to protect) It is, essentially, the ultimate irony. The groups asked to be the most trust worthy could easily destroy that trust, and undermine the system in the process.
There’s no evidence that any of this is taking place on a wide scale, or by which CAs, if any more than one or two at all. But as the author points out, browsers come preloaded with the certificates of hundreds of CAs, which can then be used to validated most certificates on the net. I can only guess at a future where users would be recommended to be more selective in the CAs they use, based on a history of those shown to abuse that trust or not.
Security Questions
You’ve seen them. The Security Question. Sign up for an account, pick a password, then fill in the answers for a few questions so that the system can identify you in case you lose your password.
The problem with these is that the answers to the questions are weaker alternatives to the passwords themselves. Both require the user to identify themselves via a string that only they should know. The questions however, has two flaws:
1. The answers to the questions are generally not considered confidential. “Your mother’s maiden name” is a piece of information that may not be commonly known, but is not exactly often considered secret either. Same for the names of the schools you attended. With the rise of social networks and the vast amounts of personal data individuals fill out in these, it’s become easier than ever for someone else to answer these questions correctly.
2. The answers are not random character strings. Think of all of the times you were told that a good password must contain symbols and numbers or what have you. This is a good practice, and it’s to help ensure that (to some degree) the password is as random as possible. Security questions often prompt for a word however, and this greatly lessens the amount of possible correct answers. An eight character password, using just lowercase letters, numbers, and ten different symbols, gives a possibility of over 20 trillion combinations, a steep hill for a brute force attack. Yet the English language has, at the high end of estimates, barely a million words. Quite a lot, but far less daunting. (This is a very simplistic example, but I believe the point stands.)
There’s been a lot of talk on the first point, but Light Blue Touchpaper has a really neat post focusing on the second. They reference a recently published paper that goes into the details on how successful drive-by brute forcing of accounts via the security questionnaire is, and it’s surprisingly high.
So what does one do about it?
1. Refuse to play along. One of the best pieces of advice I received from one of my infosec professors: If you have a security question, answer it with something else entirely. If it asks for say, your mother’s maiden name, put in the name of your school. Make it something hilarious, and you’ll be better able to remember it. Even if someone does find out your mother’s maiden name, an attacker will be puzzled as to why it doesn’t work.
2. According to the paper though, even that may not be enough. While the paper focuses on single names, (and the above, I think, will give you a reasonable level of security) the use of an actual word is still relatively weak for the reasons I outlined above. So use a password. Make it the same as the one you use for the account, or a different one. Both the question and the actual password challenge (and you do use a strong password, right?) will be protected at the same level.
But what if you do actually forget your password? Isn’t that what this was supposed to fix? The first suggestion would be to use a password escrow manager, such as KeePass, so that you only have to remember one password, and can then access all of the others. The other suggestion? Write it down. Seriously. Write it on a pad of paper, and protect that paper. If you’re in a work environment, then this does not apply. Your office is not private. (No, really, it’s not. You don’t own or control the building.) But for home, it’s more than sufficient. Keep it hidden in a desk or so, and pull it out when you need to. You’ll lessen the number of passwords you need to remember and make it easier to create more complex ones.
The Dislike Button
Over the past months/year, Facebook users have been clamoring for a “Dislike” button in addition to the “Like” button that exists. Imagine my surprise when I saw a page claiming to be “THE DISLIKE BUTTON***OFFICIAL APPLICATION”
I wanted to see just what was here, so I fired up VMware with a sandboxed machine, and created a dummy Facebook account.
First thing there was a giant image map made to look like Facebook. This ran under it’s own tab on the Dislike Button wall page.
The button it points to isn’t actually a button at all, but an image map that consumes the whole right side of the page. Clicking it expands a window asking the user to fill out a survey in order to download the app. The window was actually loaded from “the-dislike-button.com”. Loading the app in Firefox with Adblock installed prompted me with a message asking me to disable the adblock software before I could view the page. Interesting.
So I did. Then I got this:
See that text at the very top? Just what it says. $9.99 a month. The fine print below was even better:
“Summary terms: This is an auto renewing subscription service that will continue until canceled anytime by texting STOP to short code 70438. Available to users over 18 for $9.99 per month charged on your wireless account or deducted from your prepaid balance”
The survey was a 10 question quiz which then prompted the user to enter their telephone number to get the results. I entered a bogus 555 number and clicked through.
At that point, I got a number of other ads, a “mywebsearch” toolbar installer, followed by a few other popups.
Meanwhile, the Dislike Button app page is still waiting for me to complete my surveys. After clicking through whatever I could, I still didn’t manage to install the app. I can only imagine what would have happened then. (at the very least, this organization would now have whatever facebook private info I had posted.)
The strategy behind this isn’t new: Something is offered, which will be given after a free survey or the like, which collects the user’s contact info as well as inadvertently signing them up for purchases they didn’t intend to make. First time I’ve seen it on Facebook however.
What surprised me was the number of fans. Over 300k as of this evening.
So! Lessons learned? Be wary of disingenuous apps. My thoughts on Farmville or anything else aside, no app will ask you for anything other than a “install” button through the actual Facebook site. No surveys or anything required. Also, read the fine print.
For those of you who do have third-party apps installed, consider how they’re configured and what data you’re sharing with them. For a good guide on how to limit or remove apps, I recommend the excellent Ars Technica Facebook Privacy Guide.
When it comes to free apps or amazing offers, it helps to remember that “there is no such thing as a free lunch”. No one, (except for maybe the most diehard open source geeks =P ) sits and codes for days and then releases their app for free. Everyone has an angle, or something they’re getting out of it. Read the fine print, and ask yourself what the motive is. You’ll usually find the price soon after.
That’s not to say the price is never worth it, but when it’s your personal info or security at stake, it never hurts to ask.
Is this the Droid you are looking for?
I’ve been on a bit of a social media kick as of late, starting up a Twitter account and launching a new website. I place a lot of blame for that on my smartphone. Having slowly gotten hooked on the concept of mobile e-mail by my work Blackberry (gateway drug?) I planned on getting a Storm2 soon after it’s release. Reviews for the device were mediocre, but many were glowing in praise for Motorola’s Droid, the Google Android powered device also being offered on Verizon’s network.
“Why didn’t you jump on the iPhone?” you ask. Variety of reasons. For one, I’m not a big early adopter of personal electronics and social apps. Not sure why. My PCs are cutting edge, but I didn’t get an iPod till the 4th generation. The Droid represented my first foray into smartphones (aside from my work blackberry, and that was slow in coming.) In some cases it’s a lack of device maturity, in others, I fail to get taken in by the hype. It’s probably a personality issue; the more everyone jumps on something, the more unlikely I am to do so myself, an irrational thought that what’s suddenly good for everyone is, for that reason, not good enough for me or something. But I usually come around eventually, and that has it’s own rewards, in that I’m usually introduced to a more polished product.
So life has been different with a smartphone in my pocket. And with it has been the desire to use more and more of the “web 2.0″ everyone talked about so much, because now it suddenly makes sense. It’s far from a phone in your pocket, it’s a computer in your pocket, and with the cellular network, it’s having the world with you at all times.
I can share trivial things, quickly and with little interruption. “I saw this, and it’s cool.” Is it important? Probably not. But quick text and “status” updating apps such as Facebook and Twitter have made it easy to share the odds and ends we run into every day. The key to this though is not only the ability to share these things quickly and with little effort, but to read and absorb them with little effort as well. I think this last point is the more important of the two, and it finally clicked to me the other day that this is the reason Twitter is so popular. I can get very brief, simple updates from many people, and it all but takes a few seconds. This seemlessness is what makes is so much more convenient and appealing over a direct e-mail or phone call.
The result of this also is that we can rack up social points and time with people without having to establish a dedicated conversation over the phone or so, which isn’t always convenient. And it enables interaction with many people at once, instead of overly focusing on one.
That’s not to say that face-to-face time has suddenly fallen by the wayside. But for the times when you want to have trivial conversations with someone throughout the day, it’s a welcome development.
The information at one’s fingertips astounds me. I get traffic info on my phone. My fiancee e-mails me grocery lists. I have my full calendar with me in my pocket, which syncs to the cloud, and to my friend’s calendars as well if I wish them to. (Which is awesome when you’re planning for a group.) Ask a question, and I can wiki it on the spot.
On the techie side of things, the fact that 3G and cellular networks in general are becoming more and more like a general internet service is evident in it’s networking capabilities. I can tether a computer network to my phone, forward all of the traffic over an SSH tunnel to a proxy server at home, or any other number of things. (The ability to do this and establish a Remote Desktop connection on my phone still awes me.)
Of course, many of these things are not unique to the Droid. iPhone will do it, Windows 7 Mobile will do it, other Android devices will do it, as will Palm. Pick your poision. Eventually though, just as we saw with camera phones and color screens, we’ll all have one of these. I do find that rather cool.
There are of course, changes and consequences of any great technological change. Here’s a few I can think of just off the top of my head:
- The current regulatory climate is ill-prepared for these sorts of services. Cable networks, phone networks, cellular, and internet, are all regulated differently. But these services all ceased to be different a long time ago. All of these networks all run on Internet Protocol now, and all of them deliver some if not all of the services the other provides. The only differing mechanism is the physical medium easy service uses. Rules need to be drawn up for “Information Services” (since that’s what all of these are) and placed under that framework.
- Some commentators have been warning of security issues on the phone in the past. If they were early then, they arn’t now. This is a full-blown computer in your pocket, and has all of the same attack surface as your PC at home. As these are becoming more ubiquitous (and they are), this will become more and more of an issue. Smartphones, (which again, are really pocket computers) are not thought of as devices in the same class as a desktop or laptop. This will need to change quickly.
- Many privacy issues exist. I’m not necessarily talking about wiretapping. One of the key differences between your smartphone and your PC is that you control your PC. You have physical access to it, you can build your own, wipe it, load your own software, etc. It is your device, and so long as it understands Internet Protocol, you are free to control it as you wish. This is not true of your phone. With the exception of the few handful out there hacking apart Android, your phone company controls your handset. It’s features and functionality are ultimately delegated to you by your service provider. We’ve seen the dangers of network operators who abuse this control. It will need to be something that’s carefully looked at. Google’s Nexus One concept is promising in that it removes the provider from the handset, but it is by no means a total cure.
- We’ve seen these people: Persons talking on the phone in their car. Persons furiously typing away at their Blackberries in a meeting, elevator, or even while you’re talking to them. Extraordinary convenience creates extraordinary temptation to “check” on things every few minutes. I’m totally guilty of this. This is not a technological problem, but a human one. Self control. The recipient of a phone call or e-mail does not demand automatic response. People cannot expect an immediate response from you where you provide no expectation of one. This is an option I think people don’t exercise often enough.
That’s enough out of me for now. Do you have a smart phone? What do you use it for? What are you hoping to use it for? If you’re pressuring friends to get one (like I am. =) what are you hoping they’ll use it for? Post below!
What I'm Doing...
- Passed my CISSP test. =D 2012-01-06
- @a2alien absolutely... in reply to a2alien 2011-12-16
- Goals that go "ding!" off the crossbar are the best goals. =D 2011-12-12
- @CCP_TonyG Really sorry to hear that. =( Hang in there. in reply to CCP_TonyG 2011-10-21
- RT @hnbot Akamai close to being acquired by Google (Discuss on HN - http://t.co/512WnIEP) http://t.co/Vmje8jym Woah!!! 2011-10-12
- More updates...
Powered by Twitter Tools