Tuesday, June 24, 2008

Time Magazine offers funny but disturbing piece on Wi-Fi security

Lev Grossman offers a disturbing “Nerd World” op-ed on p 118 of the June 23, 2008 Time Magazine (the issue on “super-sized kids” who spend too much time on social networking sites, perhaps) on W-Fi security. The short title of the article is “Like a Thief in the Net” with the subtitle “Stealing your neighbor’s wi-fi is unethical, illegal, and not very efficient. But it sure is easy.” The article is tongue-in-cheek (the writer says he is too cheap to pay $30 for a T-shirt). The link is here.

No, I won’t repeat the details on how to misbehave. One motive for such behavior could be fun, curiosity and, paradoxically, laziness. But people who use free connections and transfer personal information (at least over unsecured connections – without the “https”) could be putting the information at risk. Some people (such as sales persons at wireless subscription companies) have said that it is unwise to work on a computer with an active wi-fi connection even personal information is on the computer, even if it is not being accessed. It does seem wise to subscribe to a for-fee service that requires an access key, from a reputable company. It is also possible to disable the wireless card when it is not in use.

I’ve seen plenty of articles about this on the Internet (mentioned in previous posts) but never such a brazen discussion in a popular mass market weekly.

The visitor may enjoy the “Nerd World" blog with Lev Grossman and Matt Selman, here.

Tuesday, June 17, 2008

Beware of "investment" swindles

The NBC Today show on June 17 reported a major Internet swindle, where a man Paul Kreuger, now in jail in Pennsylvania, swindled a number of people into making “investments” in a phony music company. Two of his victims, both female, appeared on the show. The Internet site had been called “millionairematch.com”.

Internet security expert Paul Wolinsky (http://www.wiredsafety.com/) appeared on the show to discuss the case. The women say that they “investigated” the man with search engines and did not find anything that questioned his “reputation.”

A typical media story occurs in the Chicago Tribune (reprinted from an Allentown PA paper), June 4, “Internet scam suspect returned to Souterton,” link here.

In another story, Myspace has won a judgment against a spammer who "barraged Myspace members with unsolicited advertisements." The story is by AP Technology Writer Brian Bernstein, link here. Myspace has won other judgments against spammers (AOL is well known for pursuing them).

Picture: from a trip in SW PA, near the Wright house, in 1995.

Sunday, June 15, 2008

Newspaper tries to explain Internet safety on kids' page

The Washington Post today, Sunday June 15, included as its “Mini Page” for kids a cartoonish four-page “Stay Safe in Cyberspace.” It is written in simple language, about seventh grade, but repeats all of the common advice that has become so familiar.

It does advise “don’t put anything online that you wouldn’t want your grandmother or future boss to see.” Yet, I don’t know if the typical early middle schooler has a concept of future employment, and can grasp the idea that, if a site is public, anyone in the solar system can see it (at the speed of light) and that search engines can find it.

The back page does explain the concept of cyberbullying, which, again, may a difficult concept to grasp at first until the kid has seen this behavior in the real world.

Another important aspect of kid safety online could be "accountability", which can be implemented by new software packages that inform parents continually about what their kids are doing online, as discussed in the COPA/filter/labeling blog (see Profile) Friday.

Thursday, June 12, 2008

Social Networking Site addons may pose hidden security problems with personal information dispersal

There is a new story that personal information stored on social networking sites, particularly Facebook, may be available to software developers if subscribers download various widgets, games or applications (like horoscopes) that use personal information.

Even though profiles may be marked private and theoretically have limited circulation, developers may see the information for a time after users download and execute the applications on the social networking pages. There is a maximum time that outside developers can keep the information, but on paper at least, there is a risk that it could be spread around without the subscriber’s knowledge.

Some of the information might include typical security questions and answers that subscribers have used on banking sites, adding to potential downstream risks.

Risks from social networking activity are synergistic. It’s not that the sites would be unsafe for computers (they seem to be well managed in keeping out viruses and malware). It is that the information shared becomes dangerous in a society, particularly school environments, filled with social and economic tensions already well in place.

The story, by Kim Hart, appeared on the front page of The Washington Post today, link here.

Tuesday, June 10, 2008

Verizon, Sprint and Time Warner work with New York State attorney general to block some illegal content from Usenet, Web

The New York Times today (June 10) ran a front page story by Danny Hakim, link here, reporting on a voluntary agreement by three major telecommunications service providers with the New York State attorney general to block subscriber dissemination of child pornography in certain identifiable situations.

The companies involved are Verizon, Sprint, and Time Warner. It sounds likely that agreements will soon be reached with other providers (such as Comcast). The agreement may not work against third party subscriptions that provide (illegal) content outside of the control of the ISPs.

Access to some websites will be blocked. These would appear to be sites “blacklisted” by credible organizations, especially the Center for Missing and Exploited Children. It is not clear what protection there would be against “false positive” blacklisting, either through automated processing or through consumer complaints, which could be inaccurate or could misinterpret the legal definitions involved. Another complication could come from the fact that other western countries (Canada, Britain, and New Zealand) have stricter definitions regarding written text than does the United States. From news reports, however, it appears that this particular effort by New York involves images only. It would sound possible for Chilling Effects to become involved in tracking false reports. The recent United States Supreme Court definition regarding “pandering” (see my COPA blog in May 2008) is very narrow and limiting in its interpretation, applying only to communications that claim the use of real minors (as "actors") in material that may or may not actually exist.

Although the agreement was negotiated with New York State, the practical effect will be nationwide. This shows that the laws of one state can be imposed on a whole nation in some kinds of censorship situation, even if for this issue most people would agree with the action.

The Washington Post has a story June 11 on the front page by Peter Whoriskey, link here. The story emphasizes the concept that private companies (the ISPs) are being expected to act as "censors" without court supervision. That observation was made by John Morris, attorney for the Center for Democracy and Technology. The "private censorship" and use of a privately owned list (it's not clear if anyone can check it publicly for the list of blacklisted websites) raises the risk of "false positives". There is no account of an appeal process should an image or whole site be mislabeled. The story reports a highly automated technique for classifying and indexing images according to digital fingerprints. It was not clear if it is reliable or accurate.

Generally, because of provisions in telecommunications law and various court opinions, telecommunications providers have very limited liability for what their subscribers do (with some safe harbor provisions), somewhat like the way the law always worked for telephone companies. This agreement with the New York State attorney general sounds like going in a new direction.

Or perhaps not. In early 2003, Wired Magazine reported on a sting run by a Houston federal prosecutor trapping c.p, trafficking through a Yahoo! user group. A former military officer was ensnared in the sting. So ISPs and major media sites have cooperated with authorities in the past. All major ISPs have acceptable use policies or terms of service regarding this issue now, and maintain that they are already required by federal law to report known violations. One main risk could be mislabeling material as illegal when it is not.

Wednesday, June 04, 2008

A large percentage of kids are bullied online, mothers say on Today Show

The NBC Today show reported this morning (June 4) an interview in which a mother claims that 85% of teenagers who use the Internet at home now experience some cyberbullying. This is an extension of bullying that may occur on school grounds, although not all kids are subject to this.

The mothers (who included Megan Meier’s mother) suggested that parents proactively check not only their own kids’ profiles on Myspace or Facebook (or similar sites) but also the blogs of “Friends” for possible derogatory comments about their kids. Some of these comments may not get picked up by search engines and be on profiles marked “private” but that become public in practice anyway, at least within the school. Michael Fertik has discussed this kind of situation in relation to his business “Reputation Defender.”

In the "real world" I got in trouble in early June 1958 in Ninth Grade (then that was "junior high school" for repeating a medical "rumor" about a particular student, when it was overheard by the school librarian. I was called in by the School Nurse suddenly, and she accused me of "bullying." Her first words were "I want this stopped..." I still remember the incident. Usually, I was the target of the teasing for being way behind physically and athletically.

Monday, June 02, 2008

More on rogue antivirus software, apparently rogue PC networking software

There’s more being written these days about rogue fake “anti-virus” software such as what I encountered a few months ago. Recall, I found comments on my blogs trying to prompt the visitor to install “XPAntivirus” with a word of “Here.” I put on comment monitoring on the remaining blogs, and deleted a few of these comments that I found before I put on the monitoring. I’ve gotten a few variations of these, but they tend to go away after a few days of repeated comment rejection. By the way, I realize I could install the Captcha on the comment moderation to keep these out (as I think they are robots) but I don’t want to hinder legitimate comments.

Needless to say, on another Wordpress tech blog that I run on a domain (billboushka.com), I get lots of rogue comments submitted to moderation that are mostly obvious word salad with inappropriate links, perhaps ten a day. It’s easy for a human being to spot them, much harder for an automated script.

Bill Mullins has an article yesterday on Xpantivirus, on Wordpress, here, which appeared today on the “Mixx” newservice under the tag “internet security”. There are some unsubstantiated allegations about its trying to capture personal information, and about generating false warnings even to people who did not try to install the full product. Kurt Baumgartner has a more general report on fake antivirus software on his “ThreatFire Research” blog here. (Somehow the blog's name reminds me of “Project Wildfire” from “The Andromeda Strain.”)

I’ve noticed another theme happening. Spammers or con artists will misspell names of legitimate products and direct you not to just a parked domain of links, but to a different site trying to sell a rogue version. For example, “Gotomypc.com” is legitimate (it was discussed in major media sources discussing telecommuting), but there is a clone on Motorshowguide.com as a subdirectory (with a slight misspelling equated [probably with an address record] to another domain name) that the host may not know about. Always check the URL that comes up when you go to a site to find something to install and make sure that the spelling matches. McAfee site advisor had not caught this problem.