Site Moving…

The ease and simplicity of Blogger has been great.  But it time to grow.

securitycurmudgeon.com is moving to a new site.  If you want an early look click on the following,

http://50.87.194.206/ 

All the content has been ported, RSS feeds, and DNS will switch over the next few days.  In short, if everything goes well nobody has to do anything.  www.securitycurmudgeon.com will forward to the new site.  In the event there is a problem, you can use the previous URL (address) to access the new site.

My Blogger site will not be going away but new articles will be published on the new site.  See you on the new site.

–Milton 

Popcorn Time All Out of Butter

I am following-up to a previous post since the Popcorn Time site is no longer operational.  I thought it would take longer for Popcorn Time to close it’s doors.  Popcorn Time authors note,

“Popcorn Time as a project is legal.  We checked.   Four Times”

The authors goes on to provide some background for their decision,

“Our experiment has put us at the doors of endless debates about piracy and copyright, legal threats and the shady machinery that makes us feel in danger for doing what we love.  And that’s not a battle we want a place in”

In this case, the software under consideration is legal in the country it’s developed according to the authors.  Plenty of P2P software is available like, uTorrent, Bittorrent, Transmission, which has been around for many years.  My guess is that Popcorn Time was too large of a threat to industry and unlike other P2P software it has no legitimate uses.  The software made piracy so easy a caveman can do it.  For the price of streaming services like NetFlix, Vudu,  Spotify, Pandora, etc. I’m surprised piracy is the concern it once was.

–Milton

A Few Thoughts on Security as a Public Health Issue

A couple of years ago I explored an idea by David Rice that security is like pollution, “Security Sucks — Who’s to Blame”.  David is a deep thinker and his analogue for security and pollution remains with me today.  After some reflection I realized, there is a subtle but important difference with security which I provided in an update to the same post.  Something in the pollution analogue was missing.

Kudo’s to Bruce Schneier in his post, Security as a Public Health Issue, for finding and summarizing an article by Cory Doctorow.  In the article, Doctorow explores security from the perspective of a public health problem – brilliant!

I would like to be a fly on the wall with David Rice, Cory Doctorow, and Bruce Schneier all in the same room – if we could only make that happen.  I’m sure the discussion would be fantastic and frightening.

–Milton

When Data Becomes Contraband and People Become Pirates

We are all accustomed to the skull drudgery in the endless war between copyright holders and pirates.  Pirates endlessly shuffle torrents for movies, songs, and books around the globe staying one step ahead of authorities.  While copyright holders engage in the high-tech game of wack-a-mole to stem the tide of piracy.  But there is a new kid on the block – Popcorn Time.

Popcorn Time runs on various operating systems and operates on the P2P BitTorrent protocol.  Another P2P client would not be so interesting except that Popcorn Time streams content.  A couple of key areas that set off my spidey senses.

No copyrighted files stored on viewer computers
Content is streamed from peers, buffered, watched, and discarded after reboot.  In P2P protocols individual users host and share file fragments or blocks of data.  Each peer in the network may not have an entire file and it’s often the case.  Blocks are assembled by peers until an entire file is recreated.  Targeting individuals for piracy of copyrighted material is less common but when it occurs authorities focus mostly on those that host or store the copyrighted materials.

Torrent sites unnecessary
Downloading content with traditional Bittorrent clients requires locating a torrent file for the movie or music file of interest.  The torrent file provides the technical information necessary for the P2P client to locate peers and begin downloading.  If Bittorrent has a weakness, it’s that it requires participants to locate a torrent file of interest.  As a result, hosting torrent files is risky business.  Law enforcement efforts to date focus on shutting down torrent hosting sites like The Pirate Bay.  Popcorn Time still requires torrents but reduces complexity for users by integration with YIFY and reduces complexity for users.

From the security and privacy professional perspective, Popcorn Time is going to stir some new debate on two fronts.  When does data become illegal:  1 byte, 100 bytes, a block, 100 blocks, a file?  Next, Popcorn Time is easy to use.  No more shady torrent sites, or futzing with Tor clients to conceal identity (if people even care).  Popcorn Time is essentially NetFlix for pirates – it’s that easy.  It’s likely Popcorn Time will go viral and it when it does it will be interesting to see how industry reacts.

An aside, as I have mentioned in previous articles, I’m not a lawyer but if you are and wish to comment on the post for readers we would welcome your thoughts.  Enjoy!

–Milton

Privacy Implications of Vizify Acquisition


[Updated On, March 14, 2014]

I received an email from Vizify this morning.  Yahoo is closing Vizify.  Bummer.

“We appreciate that you invested time in creating and sharing your bio and apologize for any disruption we may be causing you. We’re going to miss our bios, too, but we’re taking the following step to make the shutdown smoother.”

On the brighter side perhaps they can bring some of their talent to a larger audience.  An updated FAQ is provided.

[Updated On, March 12, 2014]

Eli Tucker (@etucker) Vizify co-founder, provided a link indicating, “Yahoo will not use any Vizify user data except for purposes directly related to Vizify bios and services”.
[Original Post, March 12, 2014]

Most of us have an idea about how our personal information is used when we sign up for an online service.  It stands to reason, participation requires sharing some personal information.  But what happens to our personal data when a company acquires another?

Vizify is an an online service where participants share personal background like, work history, Twitter connections, noteworthy Tweets, professional associations, and more.  The benefit of Vizify is that it presents professional and personal life in a info-graphic style dashboard that’s easy for others consume.  If you want to see Vizify in action, take a look at my profile.

Now that everyone an idea of Vizify’s services, let’s think about the acquisition further.  I was wondering what would happen to my personal data when Yahoo purchases this company.  Investigating further, I reviewed Vizify’s online privacy policy (image shown).

Image: Vizify Privacy Policy

First of all, Kudo’s to Vizify for the worlds shortest privacy policy.  Most privacy policies I review these days read like the Dead Sea Scrolls.  Vizify’s privacy policy is short and to the point.  In fact, the policy is quite clear about what happens during a merger or acquisition.  Any personal data  shared with Vizify will be included in the negotiations or sale of the company.  In this case, personal data shared with Vizify is now Yahoo’s property.

Small disclaimer, Yahoo was a previous employer, I know how important security and privacy is to Yahoo.  I’m not concerned about this acquisition.  However, what if a different company purchased Vizify?  Considering more chilling scenarios, what if an insurance company purchased another company with medical information like WebMD?  WebMD does not hold medial records in the strictest sense and not subject to government regulations like HIPAA but they do have a treasure trove of medial information.  Continuing the thought, what if LinkedIn wanted to sell information about your job searching to the highest bidder which may include your employer?  My point is not to stir up conspiracy theories but personal information can be used in chilling ways that’s difficult to imagine.

It’s a fact that companies are sometimes purchased solely for the competitive value of their intellectual property (e.g., patents, information).  I’m not a lawyer, but outside of corner cases like medical records or credit card information, there are few laws describing protections for personal information or the disposition of personal data after corporate acquisitions and mergers.

 –Milton

Configuring Adblock to Block Advertisements

You may have assumed when you installed Adblock Plus all annoying advertisements on web pages you visit would be blocked.  After all with a product name like “Adblock Plus”, it’s not too outrageous to assume the product should block ads – right?  Well your sort of right, some ads are blocked, and some are not.  Read the fine print.

I visited ABC News web site not long ago to read one of their stories.  I noticed when arriving on their site that a video at the top of the article began playing automatically.  I knew I had Adblock Plus installed so I was a little puzzled why the video began to play.  Usually, Adbock Plus blocks not only ads but any Flash embedded in a web page.  At first I thought, maybe the video was not Flash but another technology.  To check, I right clicked on the image and sure enough, the familiar Flash menu displayed.  The video was using Flash but how could that be possible?  I had Adblock Plus installed.  I noticed in the lower right hand corner of my Firefox web browser that the Adblock Plus icon was gray.  This means Adblock Plus is turned off.  I thought that was strange it was disabled since I distinctly remember I turning it on sometime back.  Unsure of what was happening, I turned blocking back on and hit Reload in my browser.  The page reloaded and when it did Adblock Plus turned itself off again and the video began to play.  At this point, I knew something was strange was happening or Adblock had a bug.  I figured I would visit the Adbock Plus web site to see if I could find any information on the subject.

It turns out Eyeo is the parent company that owns Adblock Plus.  Eyeo provides information about their blocking policies and positions on advertising to the public on their web site.  Apparently, Adblock Plus is not designed to block all content.  The company notes, “Adblock Plus exists to save its users from annoying ads”.  A rubric defining annoying or rather Acceptable ads is provided on their web site but it’s evidently not followed or enforced on some sites like ABC News.  According to the company, it’s possible to turn off all ad Blocking if it bothers you.

Unfortunately, unchecking does not work for me when I followed the instructions.  If I uncheck the box in the filters (as shown) and select “Disable everywhere” it blocks ads on other sites but when I return to ABC News and visit anywhere under the videos area advertisements continue playing on their own.  Perhaps this is a bug that slipped past the quality testing staff?

Adblock Configuration: uncheck to disable all ads

Incidentally, I don’t object to Internet advertising.  Without advertising, I’m not sure we would have any interesting content on the Internet to enjoy.  I also appreciate the pressure on Eyeo walking in the cross hairs of the Internet ad industry by blocking ads.  Perhaps there is a lesson, maybe we shouldn’t be dogmatic about ad blocking and take a more rational approach.  Taking Eyeo’s lead, perhaps industry can define an advertisement rubric and web browsers can include new features for users to adjust their ad preferences.  Eyeo’s approach considers acceptable ads from the user perspective in terms of different levels of distraction (e.g., moving images, etc).  As a security professional I look at ads differently and consider, risks of exploitation and privacy.  So for example, I would prefer to see ads as a simple JPG or image file – no JavaScript at all.  JavaScript is not strictly required to track user activity.  There’s still plenty of information available when browsers download images.  At higher levels of risk, JavaScript and then finally plugins like Flash.

A concern today is there is a growing rift in expectations between what consumers think their software applications and services are doing and what’s actually done.  People can handle a few surprises but what happens when the surprises never end?  Trust is the only commodity eroding faster than the US dollar and when it’s gone I’m not sure what happens.  We need a modern day Andy Rooney to crack the whip.

–Milton