Monday, July 16, 2007
On the NBC Today Show (Monday July 16 2007), Internet safety expert Ruth Peters discussed the dangers to high school and college students and their families from personal profiles (especially photos) even for whitelisted sites that are supposed to be restricted in who can view them. (That’s automatically true with Facebook). As in the Miss New Jersey case, persons sometimes acquire material and post it anyway in other profiles, or even make up fake profiles.
Ms Peters suggested that parents supervise their kids’ sites and insist on knowing passwords. (She assumes that the parent pays for Internet access, but that may not always be true.) One point that she stressed is that other family members and home security could be compromised this way, and that the teenager will be held responsible for what is on his site even if other post harmful materials on it or hack into it. This gets into the anti-libertarian idea of being held responsible for the actions of others that is a bit of a rub. (When am I to be my brother's keeper? Always, say the Gospels!) But it also comes out of the “amateur” nature of user-generated content on the Internet.
On earlier postings (especially a recent book review [on my book review blog as on my Profile] at the end of June) I’ve talked a bit about more recent concerns over “amateurism” on the Internet with user-generated content and personal blogs and personally owned sites. Recently the “free market” of Internet companies has started offering website evaluation for visitors.
McAfee, for example, offers SiteAdvisor, (and a Plus version that one can pay extra for), which grades search engine results and also sites when they are brought up, as green, yellow or red, like a traffic light. Depending on one’s settings, yellow and red sites are blocked until overridden. The criteria include email signups and reports of excessive automated emails, downloads (presumably of applications), online affiliations (links to other sites), annoyances, and user comments. Many sites have not been tested and remain “gray”. Some sites, especially blogger sites, have testing start and remain unfinished for a long time (that is true of this blog) and that does not seem to mean that anything is wrong. Possibly McAfee is determining how to report online affiliations entered by users in comments, an issue that would raise questions about fair scoring.
At least one major corporate site, television station WLJA (7), affiliated with ABC, in Washington DC (actually Arlington VA) got a yellow for sending more than 15 emails a week. This is easy to override but it seems a bit overreaching. I do not receive excessive emails from WJLA even though I signed up, and I look at the site all the time with absolutely no problems. So there could be factual issues.
It appears that McAfee ratings apply to whole domains, not to individual files.
More recently, after watching David Boaz and Nick Gillespie discuss libertarianism on NBC’s McLaughlin Group, I tried Google for the show and got, for mclaughlin.com, in the search engines results, “This site may harm your computer.” This warning would appear to apply to the whole site, not just one file. I looked at the links and found a connection with stopbadware.org, although Google says it uses its own criteria, too. Both sites give procedures for webmasters to contest the appearance of this message. I did not override the result and visit McLaughlin Group’s own site (it has another site on CNBC that does not get the message), but I believe it is quite likely that this warning for them could be a “false positive” (due to some harmless but misinterpreted script somewhere, maybe on one insignificant file) and is likely to disappear soon when the McLaughlin Group contests it.
Note: I do see that this McLaughlin problem could be from an involuntary redirection to Wikipedia.
Stopbadware gives this link defining badware.
The site also says, “StopBadware does not independently test or review the sites provided by trusted third parties unless there is a request for review; rather, StopBadware merely hosts the lists of badware websites provided by third parties.” Link: Here is their FAQ page:
The “Manifesto” blog here is interesting and talks about the Anti-Spyware Coalition.
The organization also claims that innocent website owners sometimes get hacked because of inadequate security at some ISPs. The page with security tips is this: One danger is a so-called “injection attack” with “invisible iframes” and “obfuscated code.” Even so, most larger corporate ISPs can probably provide better security (to subscriber webmasters, even individuals) through shared hosting and dedicated hosting services than can novice users running their own servers, but very skilled professionals (those well versed in scripting languages and security) may want to do this on their own. This, again, is a disturbing reminder of the “amateur” question.
Two files on one of my sites was hacked in 2002, one of them an essay on WMD’s. It was determined (by a fellow "libertarian" expert) that a Unix Site command had probably left open at the ISP. The correct files were easily recovered and the incident did not recur. (The corrupted files were sent to law enforcement but I never heard anything, of course.)
Update: July 19
WJLA now tests green with McAfee Site Advisor. However, the cache still blocks it until I unblock; this seems to be an issue with how McAfee talks to Mozilla.
However today (July 25) I found another site that McAfee rates as red (for sending viral emails) on searches and access, but gives green if one requests a report.
Monday, July 09, 2007
John Springer has a story on the NBC Today show and MSNBC regarding the private photos of Miss New Jersey, Amy Polumbo. She posted some pictures on a “whitelisted” site that only people with passwords could access. She did not post them on a public site accessible to search engines or the public. Apparently, someone obtained the photos by hacking and then tried to use them for blackmail. The photos apparently do not contain anything illegal or violating her contract, but she fears that someone could doctor the photos. State and national pageant winners are held to very strict publicity and moral turpitude clauses (including appearing in the nude), that can be easily undermined by others.
The correct link is here. (There is a bad hyperlink on the Today site today; one of the links takes the visitor to the incorrect story, about Atlantic City.)
Generally, schools and universities have encouraged students to consider posting pictures and personal information only on private servers, not open to the general public, as a way of protecting personal and familial privacy and personal information. Some of these concerns have been also motivated by recent trends among employers to troll social networking sites for undesirable information about job applicants.
(Later information is that her title will not be taken away.)
Apparently the current Miss America (Lauren Nelson) assisted NBC Dateline with a well-publicized sting in New York (on Long Island) attracting internet predators.
Update: July 25, 2007
On July 24, 2007 Miss America (Lauren)told Congress that education in legal and safety issues in Internet use (provided by public schools) should be mandatory before minors can go online.
Update: Aug 26, 2007; Teacher apparently defamed by video on Net
In a somewhat similar situation, ABC News posted a story "Teacher's Nightmare: Ogling Video on You Tube: Internet Videos such as 'Hot for Teacher' Clip Raise Privacy Concerns," here.
The inappropriate video of a female teacher was shown at a fifth grade graduation ceremony in Charlotte, NC. It got posted on YouTube, which removed it for copyright infringement upon notice from the teacher. The story indicates that the law on this is still hazy. However, in December, Dr. Phil had reported about a teacher about whom some kids made a fake profile on Myspace (see my "issues" blog Dec 6).
Friday, July 06, 2007
Today, Friday, July 6, 2007, Brian Krebs has an important story in The Washington Post, the top of page D01, on how accomplices in the recent string of incidents in Britain bought illegal supplies with stolen identities. The story is here.
The article discusses a woman in New Jersey was fooled by a phishing email asking her to update her EBay information. That information was used to purchase supplies under her identity. (Note: I don’t repeat the names of targeted people here, since spiders would pick them up; although the names are still going to picked up from the media sites by search engines.) This could have happened with any financial site, or a social networking site. I note humorously that the plot of the recent hit film “Transformers” is driven by the fact that the EBay page of a teenage boy captures the attention of the bad guys out in outer space (I guess the speed of light is no limit to the reach if the Internet now). The article goes on to discuss (in graphic detail) the way the bad guys use “free speech” to post jihadist propaganda and instructions on the Internet.
One concern, expressed by earlier postings on this blog, is whether anyone has liability if he or she fails to practice proper computer security and as a result others are harmed. There have been prosecutions based on stolen identities, but these prosecutions have not been legally justifiable once the facts are shown – still the experience is horrifying and can cost thousands in defense fees. With some offenses becoming “strict liability” offenses, I wonder what would happen if someone’s computer were hijacked if they didn’t practice proper security.
There are similar stories on page A1 of the July 6, 2007 Washington Times, by Ben McConville (AP) and Audrey Hudson (WT staff). The stories point out that British law on incitement through the Internet may be tougher than US federal and state laws,
Brian Krebs does have a “Security Fix” blog at The Washington Post at this URL:
Remember, newspaper stories often require registration and sometimes require credit card purchase.
Visit my relate blog on consumer identity protection.
Tuesday, July 03, 2007
Home and small business users may want to take the time to explore the Forensics link at the CERT website of Carnegie Melon University in Pittsburgh. The link is http://www.cert.org/forensics/
One of the major forensic tools is called “Live View” which uses visualization technology to look a disk images on physical drives. Live View has a Limited Edition version available only to law enforcement agencies. There is much discussion of the “Virtual Machine” which is a concept that IBM uses in the mainframe world to describe a facility to switch among different operating systems (but in the 1980s it was used as kind of operating system itself, making a 4300 style mainframe behave like a DOS PC from the point of view of the user).
There are two large PDF files on basic and advanced forensics, and these have a lot of discussion of the technical details of file systems on hard drives in various operating systems. These PDF files are set up in such a manner that they cannot be saved as such on the user’s computer, only as text files.
Forensics is an important topic, because it is critical in preventing individuals from being framed for crimes committed by hackers, certainly a John Grisham novel like concern that could become more common in real life. Some more detailed technical knowledge can help the user become more prudent in his or her own best practices.
Hardware forensics would become important in a situation where a person's computer had actually been used (tracked by IP address) in order to prove that the computer had previously been "hacked."