{"id":119,"date":"2014-04-20T06:56:02","date_gmt":"2014-04-20T06:56:02","guid":{"rendered":"http:\/\/blog.maclawran.ca\/?p=119"},"modified":"2014-04-21T20:46:34","modified_gmt":"2014-04-21T20:46:34","slug":"privacy-and-security-on-the-internet-circa-2014","status":"publish","type":"post","link":"https:\/\/blog.maclawran.ca\/?p=119","title":{"rendered":"Privacy and Security on the Internet circa 2014"},"content":{"rendered":"<p>I&#8217;m still cleaning up after <a title=\"Heartbleed website\" href=\"http:\/\/heartbleed.com\/\" target=\"_blank\">Heartbleed<\/a> &#8211; a little bug that essentially rendered a lot\u00a0of encrypted communications completely useless from March 2012 to now.\u00a0 Plus they get bonus points for giving the bug a really cool, scary name.\u00a0 Plus like a totally awesome logo.\u00a0 <strong>That&#8217;s the best marketing for a security vulnerability I&#8217;ve ever seen.<\/strong><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-124 alignright\" src=\"http:\/\/blog.maclawran.ca\/wp-content\/uploads\/2014\/04\/Screen-Shot-2014-04-20-at-2.47.07-AM.png\" alt=\"Screen Shot 2014-04-20 at 2.47.07 AM\" width=\"167\" height=\"189\" \/><\/p>\n<p>I remember a long time ago, back before email used the @ sign, when mail was bounced from machine to machine to machine, and you needed to know not only who you wanted to talk to, but what machine they were on, and what machines talked to their machines.\u00a0 I was <strong>uunet!sobeco!paxmtl!sean<\/strong> back then, cause most everyone knew how to get to the <strong>uunet<\/strong> machine.<\/p>\n<p>That&#8217;s when I remember being told, and I forget by who, about email security.<\/p>\n<p><strong>&#8220;Think of email as if you&#8217;re sending a postcard&#8221;.<\/strong><\/p>\n<p>Ponder that for a bit.\u00a0 It implies that anyone along the way can read your email. <strong>Have no expectation of security.<\/strong><\/p>\n<p>If you&#8217;re working on confidential stuff, you can ask me to sign an NDA.\u00a0 Or do what I do: <strong>Keep your mouth shut. <\/strong>If it&#8217;s a real secret, like an awesome patent application, keep your mouth shut until you file, then talk.<\/p>\n<p>I was also an admin at the time of the first, huge, computer security episode in 1988 &#8211; <a title=\"The Morris Worm\" href=\"http:\/\/en.wikipedia.org\/wiki\/Morris_worm\" target=\"_blank\">The Morris Worm<\/a>.\u00a0 We weren&#8217;t affected since we were running a relatively obscure version of Unix that was immune to the worm.\u00a0 Robert Morris is now with<a title=\"Hacker News\" href=\"http:\/\/news.ycombinator.com\" target=\"_blank\"> Y-Combinator<\/a>, and doing more cool things.\u00a0 The case was resolved amicably in large part because his father, also <a title=\"Robert Morris\" href=\"http:\/\/en.wikipedia.org\/wiki\/Robert_Morris_%28cryptographer%29\" target=\"_blank\">Robert Morris<\/a> was a cryptographer as well as the Chief Scientist at the NSA&#8217;s National Computer Security Center.<\/p>\n<p>He has some great security rules:<\/p>\n<ul>\n<li><strong><em>The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.<\/em><\/strong><\/li>\n<li><strong><em>Never underestimate the attention, risk, money and time that an opponent will put into reading traffic.<\/em><\/strong><\/li>\n<\/ul>\n<p>Funny about that Heartbleed bug.\u00a0 A little bad code in an open source product OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.\u00a0 The thing about Open Source is that anyone can go look at that code, use it, and change it.\u00a0 You, me, the NSA.\u00a0 That&#8217;s a level playing field. No backdoors, nothing funky.<\/p>\n<p>The availability of code for public inspection is supposed to increase its security (many eyes).\u00a0 In this case it didn&#8217;t.<\/p>\n<p>In the aftermath of the Heartbleed bug, Bloomberg published an article that <a title=\"NSA heartbleed\" href=\"http:\/\/www.bloomberg.com\/news\/2014-04-11\/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html\" target=\"_blank\">the NSA may have had access to this bug, and may have been using it to collect information for years.<\/a><\/p>\n<p><strong>Pssst&#8230;. everyone&#8230; THAT&#8217;S THEIR JOB.\u00a0\u00a0<\/strong>If the US has a spy agency that couldn&#8217;t and didn&#8217;t do that they&#8217;d be a bunch of idiots.<strong>\u00a0 <\/strong><\/p>\n<p><strong>The real problem is that now that the exploit is out in the open, with source code to match, every kid from here to Kiev is going to be pounding on unsecured servers.\u00a0 That&#8217;s really gonna suck.\u00a0 <\/strong><\/p>\n<p><strong>So boys and girls, do change your passwords.<\/strong><\/p>\n<p>But what about the massive collection of information by the NSA?\u00a0 Isn&#8217;t it terrible?<\/p>\n<p>No, not really.\u00a0 Not if you consider everything you put of there as being on a postcard.<\/p>\n<p><strong>The collection of information in itself isn&#8217;t really a problem.\u00a0 The tricky part is what that information gets used for, by whom, and under what circumstances.<\/strong><\/p>\n<p>J. Edgar Hoover <a title=\"Hoovers secrets\" href=\"http:\/\/www.thedailybeast.com\/articles\/2011\/08\/02\/fbi-director-hoover-s-dirty-files-excerpt-from-ronald-kessler-s-the-secrets-of-the-fbi.html\" target=\"_blank\">had private files on lots of people full of\u00a0embarrassing secrets<\/a> &#8211; and he\u00a0used them.\u00a0 So it&#8217;s not the data that&#8217;s important &#8211;<strong> it&#8217;s <img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-123 alignleft\" src=\"http:\/\/blog.maclawran.ca\/wp-content\/uploads\/2014\/04\/Screen-Shot-2014-04-20-at-2.45.30-AM.png\" alt=\"Screen Shot 2014-04-20 at 2.45.30 AM\" width=\"215\" height=\"267\" \/>having data which when placed in context, becomes leverage.<\/strong><\/p>\n<blockquote><p>&#8220;While there is ample evidence that Hoover used the information in his files for blackmail, there was usually no need for it. Simply the perception that he had such information was enough to keep politicians in line.&#8221;<\/p><\/blockquote>\n<p>Here&#8217;s a secret.\u00a0 Google and Facebook know more about all of us than the NSA ever will.\u00a0 And while Google has generally been pretty good with privacy, Facebook really hasn&#8217;t&#8230; and they don&#8217;t intend to be either.<\/p>\n<p style=\"text-align: left;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-121 alignright\" src=\"http:\/\/blog.maclawran.ca\/wp-content\/uploads\/2014\/04\/Screen-Shot-2014-04-20-at-2.16.01-AM.png\" alt=\"Screen Shot 2014-04-20 at 2.16.01 AM\" width=\"223\" height=\"78\" \/>The only difference is they tell you right in the<a title=\"Facebook permissions\" href=\"https:\/\/www.facebook.com\/help\/210676372433246\" target=\"_blank\"> terms of service and permissions<\/a> you have to give their app what they want.\u00a0 In short their app wants permission to:<\/p>\n<ul>\n<li><strong>Read your text messages (SMS or MMS)<\/strong><\/li>\n<li>Download files <strong>without notification<\/strong><\/li>\n<li><strong>Read\/write your contacts<\/strong><\/li>\n<li>Add or modify calendar events and send email to guests<strong> without owners\u2019 knowledge<\/strong><\/li>\n<li>Read calendar events <strong>plus confidential information<\/strong><\/li>\n<\/ul>\n<p><strong>Noodle on that for a while.\u00a0 Sounds like Facebook can do whatever the hell they want with your phone and data, and can do it on your behalf, without telling you.\u00a0 And use it for marketing.\u00a0 Or whatever.\u00a0 With your permission of course, because nobody reads Terms of Service anyhow.<\/strong><\/p>\n<p><em>We&#8217;re giving away more privacy and security than ever before.\u00a0 That&#8217;s the problem.\u00a0<\/em><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p class=\"excerpt\">I&#8217;m still cleaning up after Heartbleed &#8211; a little bug that essentially rendered a lot\u00a0of encrypted communications completely useless from March 2012 to now.\u00a0 Plus they get bonus points for giving the bug a really cool, scary name.\u00a0 Plus like a totally awesome logo.\u00a0 That&#8217;s the best marketing for a security vulnerability I&#8217;ve ever seen.&hellip;<\/p>\n<p class=\"more-link-p\"><a class=\"more-link\" href=\"https:\/\/blog.maclawran.ca\/?p=119\">Read more &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":124,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-119","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=\/wp\/v2\/posts\/119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=119"}],"version-history":[{"count":4,"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=\/wp\/v2\/posts\/119\/revisions"}],"predecessor-version":[{"id":126,"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=\/wp\/v2\/posts\/119\/revisions\/126"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=\/wp\/v2\/media\/124"}],"wp:attachment":[{"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.maclawran.ca\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}