Service Provider Journal: Securing the Net Archives

The AJAX assault on privacy

Every new technology brings new dangers, it seems. AJAX can make Web pages look great, or, it can enable sneaky dealings:

"The Associated Press reported last week that Facebooks users who make purchases at sites participating in the program have just 20 seconds in which to opt out of having that information published. That's because the opt-out mechanism consisted of a small pop-up that vanishes 20 seconds after it appeared. After the window disappears, so does the user's chance to opt out."

Let's hope the courts throw the book at such shenanigans.

Posted on November 26, 2007 at 01:02 PM in Securing the Net | Permalink | Comments (0) | TrackBack

SPJ Podcast #3: Scott Chasin on trusted communications

On Monday I will be moderator of a panel in San Francisco, "Smartphone & Wireless Security: Steps to Safeguarding Your Business," at 2:00 p.m. at the Smartphone Summit.

In preparation for this panel, I wandered down to ISPCON on Thursday to see what the ISP industry has done lately to insure that the communications we receive from others can be trusted to really be from those we believe sent them. This led me to have a chat with Scott Chasin of MX Logic, who was a guest on my Opening Move podcast back in 2005. On Friday, Scott and I talked for about 18 minutes about whether DomainKeys Identified Mail (DKIM -- which we mistakenly referred to as DKAM) and digital signatures, used alone or together, can help improve the state of trusted Internet communication. Among the highlights of our conversation:

We will still need firewalls on all our mobile devices
DKIM won't be foolproof
The days of downloading software from the Web that hasn't been vetted by your trust silo of choice are numbered.

Posted on October 20, 2007 at 10:27 PM in Securing the Net | Permalink | Comments (0) | TrackBack

Not giving a birth date

One's date of birth is a crucial piece of personally identifying information. Don't let any Web site publish such information without your explicit permission. There appear to be many social networking sites that don't respect this, such as this one. Don't register with them if you value your privacy. Phishers are already exploiting it.

Posted on May 29, 2007 at 11:31 AM in Securing the Net | Permalink | Comments (0) | TrackBack

Olan Mills Portrait Studio says your digital photos are too dangerous for them to use

My family sat last night for a portrait at our church for a new directory. Olan Mills Portrait Studio, a photography service hired by the church, immediately presents you with digital images of their portraits for your review and selection. Although they will accept your own alternative 4-by-6 photo prints for things such as a church directory, a representative informed us that they do not accept digital photo files (such as JPEGs) from customers for fear of being infected by a computer virus embedded in the digital file. Hmm, that never stopped Flickr from publishing photos received from everybody -- that's all they do. Maybe Olan Mills should acquire a bit of the Flickr anti-virus technology. They've certainly gone digital in a huge way otherwise.

Posted on October 21, 2006 at 04:25 PM in Securing the Net | Permalink | Comments (2) | TrackBack

Encrypting VoIP with Zfone

I'm at VON Spring 2006 where PGP creator Phil Zimmermann is introducing Zfone, impressive-looking encryption software for Voice over IP conversations. It's quite decentralized and does not require public key infrastructure. Slashdot had the story two days ago. Phil has submitted the protocol behind Zfone to the IETF for standardization. It's so cool that it already works with Gizmo; if the Zfone client for Windows ships soon, this will end up on many lists of top new software of 2006. It also takes away one big reason for entering the Skype walled garden. Skype does its own encryption, but doesn't interoperate with other standards-based VoIP services. (That's why Skype has no presence at VON.)

Posted on March 16, 2006 at 02:48 PM in Securing the Net | Permalink | Comments (1) | TrackBack

Viewpoint says it's not spyware

My original post on Viewpoint described it as spyware. But the makers of Viewpoint deny it's spyware. Evidently it's just a pesky piece of software that may install itself somewhat surruptitiously and then require updating, which is when I first became aware of it. Despite Viewpoint's denials, at least one spyware removal tool has identified Viewpoint as spyware.

Posted on November 15, 2005 at 10:57 AM in Securing the Net | Permalink | Comments (3) | TrackBack

Malicious opt-out attacks

Anti-spam vendors are fighting on an ever-increasing number of fronts. Don't believe me? Listen to Scott Chasin, late in my Opening Move interview, describing efforts to thwart malicious opt-out attacks.

Posted on July 7, 2005 at 03:19 PM in Securing the Net | Permalink | Comments (0) | TrackBack

Viewpoint: Still an irritant

Viewpoint, a "rich media player" included in AOL 9.0 and apparently inflicted on anyone installing AOL's instant messenger, remains an irritant many people consider spyware. I've had a steady stream of complaints posted as comments to a post I made back in September 2004. I haven't had any problem with Viewpoint ever since I ran Spybot Search & Destroy and removed it. (But I wonder if that violated my terms of service with AOL. Hmm.)

Posted on April 7, 2005 at 10:05 AM in Securing the Net | Permalink | Comments (12) | TrackBack

A trustworthy Internet

Every technology debate swirling around the Internet is converging around the notion of trust. Many email services are now untrustworthy, to the extent that many ISPs are blocking some legitimate email, intentionally or unintentionally. Now the Web is becoming untrustworthy, due to Google implementing an auto-link feature on its toolbar that will distort, for many, the apparent links included in any Web page. Statements such as "we're not evil" fall on deaf ears as the trust firestorm grows. (Don't get me started on the company that coined the term Trustworthy Computing.) What's the solution? One word: education. Don't believe those who say the average Internet user can't be educated and should instead be manipulated. But be prepared for a long, rocky road. And on the way there, we'll see a curious phenomenon: The absolute need for more generalist thought, more cross-disciplinary thought, and fewer blindered specialists focused only on one technology or one political point of view or one dogma. It's time for skepticism (some of which accounts for why my book is taking so long to write), but also for deeds, for action, not for fear. Look at Wikipedia, the best new educational tool of the new century. The way any page can be edited by anyone, it shouldn't work and should be untrustworthy. But it does work and I trust it more every day. The Wikipedia community doesn't have to go around telling people how not-evil they are.

Posted on February 28, 2005 at 09:09 AM in Securing the Net | Permalink | Comments (0) | TrackBack

Adware, spyware, trackware and greyware

I'm curious to know how a piece of software used by Neilsen//NetRatings managed to get itself classified as spyware. Or is it more appropriate classifed as "trackware"? Or, yet again, is it something in the middle, "greyware"? This ClickZ Network story is, at the least, educational about the expanding spectrum of malware, goodware, and in-betweenware. It brings to mind a paraphrased quote I gathered at last week's RSA 2005 Conference, from Rick Wilson of the National Security Administration (NSA):

Somebody's going to figure out how to get across a wall, a low wall. They won't go into a chat room and talk about it. They'll remain hidden until something else happens. Then they'll use the castles for their own good or try to cause confusion, or possibly cause fratricide. If they're on the inside and that becomes pervasive inside our systems, how do you clean it up? Once they're on the inside there's no getting them out. What cyberwinter is about is not a massive [denial-of-service], it's this loss of confidence in the system. When somebody has to walk into the Oval Office and say we don't know how to clean it up, then you'll have national security issues and privacy issues. When organized crime gets into a law enforcement system...has anyone seen the Sopranos?

Posted on February 21, 2005 at 03:17 PM in Securing the Net | Permalink | Comments (0) | TrackBack