StillSecure, After All These Years

Image via CrunchBase

Read an interesting article in Yahoo tech today about a US Army report on the potential use of Twitter by terrorists and other subversive groups. After initially rolling my eyes about the government going a little to far, I began to see who Twitter could be used by terrorists and the like.  Twitters ability to provide "live" coverage of an event is something that some of us in the security industry have used at infosec shows.  The example cited by the article about activists at the Republican National Convention using twitter to report on police movements and positions is compelling. You can see how twitter could be used for that type of thing.

But than I think the report goes to far:

"Twitter has also become a social activism tool for socialists, human rights groups, communists, vegetarians, anarchists, religious communities, atheists, political enthusiasts, hacktivists and others to communicate with each other and to send messages to broader audiences," the report said.

Hacktivists refers to politically motivated computer hackers.

"Twitter is already used by some members to post and/or support extremist ideologies and perspectives," the report said

If all they are doing is disseminating their ideas, I think it is protected under freedom of speech. It would be good to see a court hold that "tweeting your mind" is a protected form of communication and expression.

Related articles by Zemanta

• US Army discovers Twitter, sees terrorist ties, wonders why @JasonCalacanis won't follow it
• Twitter to bring "Death to America"! Twitter as a Terrorist tool?
• The Republican National Convention In A Minute (VIDEO)
• Beware the Veggie Tweet
• Company review: Twitter's expanding utility

 

Image via Wikipedia

I for one was pleased to hear about Delta Airlines plans to start offering wi-fi access on domestic flights.  I figured being a platinum medallion member there is a good chance I may even get access for free. I frankly was worried about security while logged on in the air. In a "closed" environment on the plane a malicious individual could play havoc with folks whose security settings may not be up to snuff.  But what makes logging in on the plane any different than logging on at the airport?

Now comes reports in the Atlanta Journal-Constitution and a follow up in ComputerWorld by Mike Elgan, that Delta will implement some sort of content filtering application to make sure that inappropriate web sites are not accessed while on the plane.  This raises several issues in my mind.  First of all what makes Delta the judge of what is appropriate or not.  Second isn't it a bit imbecilic that they may prevent access to pornographic web sites, but have no problem with people running a porno DVD on their computer.  If keeping smut off the plane is the goal, what difference does it make if it is via the web or on a DVD? Lastly, what happens when inevitably the filtering solution blocks a legitimate web site?  If I paid for that access and was unable to access what I wanted and it was a legitimate site, is Delta going to refund my fees?

It seems to me that when Delta steps into the role of big brother and is going to regulate what I am allowed to see, I am having to conform to their views on what is normal.  If I am paying my own hard earned cash, as long as it is legal, Delta should not have the right to filter me. I want to make my own decisions.  I also think that this is a case where the market will take care of itself.  Peer pressure will stop people from viewing smut on the plane better than Delta's big brother censors.

Related articles by Zemanta

• Delta to Block Porn On In-Flight Wi-Fi So Flight Attendants Don't Have To [Censoring The Friendly Skies]
• Delta Air Lines Embraces Wi-Fi during Flights
• Delta Air Lines to offer Wi-Fi across U.S. fleet

No, not IPO public, but public about disclosing employer secrets which could provide a risk to the public. My friend Martin McKeay has written an article over the recent firing of an employee of TJX for disclosing in a public forum continued poor security practices by TJX. The same TJX I might add that as a result of slipshod security practices caused 100s of thousands of dollars, if not millions of dollars in bank fraud to occur.

Many have categorized CrYpTiC_MauleR, the employee who disclosed the information on hackers.org, as a "whistleblower". The term whistleblower is a term of art and in many circles will invoke some special immunity for the person who disclosed the confidential information. However, usually the disclosure of this information is made to a person or entity with the power or at least willingness to take corrective action. In this case, I think that is the missing pre-requisite. Just disclosing this information on a public message board does not meet the burden of defining this as whistleblowing. I think Martin is right on there. He says CrYpTiC (If I can call him that), was not a whistleblower in the strictest sense of the word and is not due any protection. He is just another person who violated his employment terms and his termination by TJX was perfectly justified. Let me say that I don't disagree with Martin about TJX having the right to fire CrYpTiC. They certainly do.

I have a problem with Martin when says that CrYpTiC should have done what he has done and that is keep your mouth shut and move on to the next opportunity. I think depending on the level of wrongdoing, not only is that wrong, but by willfully withholding certain information from the authorities it could make you guilty as an accomplice! Think about it Martin, if you knew your employer was committing a crime and you just quit your job rather than report that crime, you are an accomplice. When does the responsibility for the general good, outweigh your obligation to your employer. Is sticking your head in the sand and moving on while letting illegal or irresponsible behavior go on the right posture? I say not.

I think CrYpTiC felt strong enough about what TJX was doing was wrong that he posted it publicly. Though he did it anonymously and did not think it would be traced back to him, he felt strong enough that what TJX was doing was wrong and he wanted the world to know. When he made that decision, he also made the decision that letting the world know the truth was more important than his job at TJX. I am sure potential future victims of TJX fraud that will now be spared that loss would thank him for it.

Martin, there comes a time where keeping your mouth shut and moving along does not cut it. You have a duty to alert the proper authorities for the greater good of the public. The question is when does your duty to disclose surpass your duty to keep your employers information private? I think that is a personal question that all of us have to answer ourselves. Clearly criminal activity should be disclosed, otherwise you risk criminal exposure. Beyond that it is a judgment call. But saying not to disclose and just move on is appeasement at its worst.

The real question is why doesn't the PCI council or the government have a forum for people like CrYpTiC to go to in the future. That is what is needed!

Fred Wilson has an interesting blog up regarding the new Google Health service. Fred filled out his personal medical information and was disappointed that he was not able to publish this data and make it public.  Fred would like to have a sidebar widget for his blog with his health profile.  Many people wrote to Fred telling him why Google does not do this.  Many of them centered on the fact that insurance companies would use this information against you to deny or limit your coverage.  Some took shots at Fred's socio-economic status saying that he didn't care if the insurance companies used it against him because he could afford to pay whatever he had to.  Fred replies that he thinks withholding or being less than open about health issues to insurance companies, investors, etc. is problematic and in a perfect world insurance companies should not be able to use this against us. In fact Fred says:

Wouldn't we all be better off with an insurance system that wasn't able to discriminate between people based on pre-existing conditions? Wouldn't we be better off if we came together to insure everyone? Wouldn't we be better off if we knew everyone's medical conditions and what treatments worked and what did not? Wouldn't we be better off if we could search for others with the same conditions to share our experiences?

I don't believe Fred feels this way because of his socio-economic status. I think Fred thinks like this because he is I assume in good health.  I wonder if Fred were suffering from some medical condition, if his views on this would change.  This reminds me of the "nothing to hide" argument that some use to justify the government trampling on our privacy rights.  If you have nothing to hide, what do you care.  I care because it is wrong.  I care about not making health records public because it is wrong.  We don't live in a perfect world.  Even taking Hillary or Obama's health plans into account, we live in a world where insurance companies can discriminate against those with pre-existing conditions for the foreseeable future.  Think about if only healthy people published their records, what would that say about people who did not publish their records?

Fred's point about searching for others with the same condition is fine, if they wanted to be found. It is inherently a persons right not to be found.  In fact today if you want to share with a person who shares a medical condition with you, you can search and usually find a group and on line community of people. What is nice is some of these people can share in these groups without revealing their identity.  It is this ability to remain anonymous that I think make these types of communities successful.

Fred recognizes that not everyone would want to share their records. I say once we start dividing society by those who do and don't we really already have imposed a penalty on those who cherish their privacy.

A while back, on a mailing list I am on there was a bit of discussion around who owns your email when you leave a company. In another words, after you leave can an employer look at and use the email addressed to you at that company. Sort of like opening the mail of the people who used to live at your house maybe. Does an employee have a right to privacy if he is using an email address and mailbox provided by his employer?  These are thorny questions best left to lawyers and HR types.  However, I wanted to point out a good article written by my friend Don Ulsch from Jefferson Wells. 

Some of you may remember that I originally got to know Don when him and I had a slight disagreement over the use of blogs by employees.  As is often the case, through that open debate I actually became friendly with Don and he was nice enough to forward along a new article he wrote for bizAZ.  Unfortunately it is not available on line so I have uploaded (Download bizazjulyaugust_2007.pdf) for you to download if you like.  In the article (which is rather short), Don makes the case for how a small business owner can institute open and fair email policies that everyone can live with and can help prevent security and privacy concerns down the road.  Don lays out some good policies and how to implement them.  I recommend you taking a look if you are interested in such a thing.  Also, as Don points out, if you are a small business owner, the email in your employees inbox belongs to you, not the employee.  So for all of you employees out there, remember everything you write can be seen by big brother and belongs to him, if you are using his email box!

I have read several articles in the last few days about Skyhook Wireless including this good one by Preston Gralla on ComputerWorld.  Skyhook has spent considerable time and money having trucks drive around picking up WiFi signals and mapping their locations.  Currently they are using the information to triangulate location of AIM users, in a plug in called "near me".  Preston says that this is an invasion of privacy.  This resulted in some lively discussion in the comments on this article lead by my friend Cutaway. 

Before discussing the privacy and possible security implications, let me say that reading this article gave me a deja vu back to the early days of Quova. Quova is another company started by StillSecure CEO, Rajat Bhargava and some of my other friends from Interliant including Derald Muniz. Quova provides "IP Intelligence" or as I used to call it, IP based geolocation.  Back in the early days, Quova spent a lot of time actually mapping out every IP on the Internet and used some cool stuff to assign as best as possible a geographic location to every IP on the net.  This allowed them to instantly tell with a high degree of certainty where a user was logging on from to within a zip code (not always).  The business has grown and evolved since then, but that technology is still at its heart and is doing very well.  I remember the amount of work that was involved in that mapping, so can only imagine what Skyhook has gone through to map this out. I agree with Preston, using it for just a plug in for AIM is not the endgame.  There must be other commercial uses contemplated.

Is it in an invasion of privacy?  I tend to think not.  They are not looking at the traffic generated on these networks and the signals they are picking up are put out on public frequencies.  Other than the existence and location of the network, I don't thing they are matching it to other information. If they started overlaying it with other data, maybe that would change my mind.  So, I say let them do it and lets see what other business uses they come up for it.  But like Cutaway, I wonder how reliable over a period of time this information is.  WiFi networks don't put out signals over great distances, so you have to be pretty close to one to pick it up.  Also, as people move or replace their wireless routers the information can go stale in a relatively short time. Wouldn't it be better to use cell phone towers?

My friend Martin McKeay is back up and writing over at ComputerWorld.  Martin was under the weather for a while and glad to see him feeling better and blogging.  Martin writes today about the fact that under the Stored Communication Act (SCA), the government has had the ability to view email for nearly 20 years.  Having been in the ISP/Web Host business, I can tell you that generally, if a government official asked us for access to records we complied, rather than risking the wrath of the government. I agree with Martin, the ability of the government to read my mail anytime they wanted does make my a bit uncomfortable. However, right or wrong that is the way it is.

In fact, whether it be the government or your employer or someone else, you have to assume that any email you write can be read and used by someone else.  It is just a fact of electronic/digital life that we do not have the same expectations of privacy in our digital communications as we do in the analog world.  I don't agree with it.  I also am uncomfortable with the ease of access available to private information on any one of us on the web, but these are consequences of living in this digital information age.  Sure there are ways to shield your communications.  You can send mail through a server not on your ISP, but through some anonymous service, you can encrypt your messages in transit, you can wipe out your hard disks.  The question is how many hoops do you want to jump through and is it worth it.  I would bet most of us just don't care enough to jump through these hoops.  So, right or wrong, agree or disagree, our privacy being violated regarding our email is just something we have to live with I think.

My friend Michael Farnum, is I know a good person.  Though we have never met in person, from the many times we have spoken and exchanged emails, I know Michael is a straight shooter with a good sense of humor and most of all takes his responsibility as a security professional very seriously.  However, the road to hell or in this case to Christmas is paved with good intentions gone bad.  Michael has crossed the line here with his article about how companies should be responsible Internet community members, by stopping their employees from online shopping with company resources.  I think he is off base here and using all the wrong reasons to justify his position.

Really, it comes down to two reasons to limit employees online shopping during the holiday season.  The first is a productivity issue.  This is not the business what so ever of the security or network admin. This is strictly a management decision.  Personally, if someone is not abusing the privilege, I think there is nothing wrong with letting an employee use the companies internet connection to do some online shopping.  The alternative of shutting it down, I think will do more to hurt company morale and spirit and wind up costing you more in productivity.

The second reason is for security purposes.  Frankly, I see some merit in this.  But if you have defenses in place, I think you have to give more credit to the user that they are not going to do something totally stupid.  On top of this, I think it is more than potential phishing attacks which you have to be careful for.  Are they downloading any spyware, key loggers or botnets.  However, good security in place for this type of malicious traffic should do the trick here, without having to prohibit online shopping.  I have not seen enough evidence to allow the security arguments to outweigh giving the users the right to surf for holiday shopping.  Of course I would monitor to make sure no one is abusing this.

In any event, what really ticks me off are people who really want to limit on line usage by employees for productivity reasons and hide behind the security issue to justify it.  Releases like the one by St. Bernard that Michael refers to are the perfect example of this.  They don't make a clear case for either productivity or security but try to lump them together with a little FUD thrown in.  In any event, come on Michael, show your Christmas spirit and keep the employees happy!  Ho, Ho, Ho Merry Christmas ;-)

In another sign of how much of our privacy and anonymity is being sacrificed to the digital world comes Zillow.com.  Zillow allows you to put in any address and zoom in on a Google maps type of map and see the value of the house.  Want to see how much your neighbors house is worth, sure. Your bosses house, your co-workers, your competition, maybe.  Want to see how much anyone's house is worth, just get their address.  I am not saying there are not legitimate uses for this technology, but there is just something about it that irritates the edges of my consious.  I wonder what Captain Privacy McKeay thinks about it.

As a follow up, now comes word that a group called the National Community Reinvestment Coalition has filed a complaint with the FTC charging that Zillow discriminates against black and Latino communities and are so inaccurate as to be downright fraudulent.  I am sure that does not sit well with the VC's who have invested about 57 million in Zillow.  Lets see what happens.