Here’s something to add to the ‘ol RSS reader (or twitter @crunchgov if that’s your thang. TechCrunch, one of the better sites for news and information about tech and the tech industry, today launched CrunchGov to track on government and tech policy-making. The site will have 3 three initial CrunchGov products (report card, policy database, and legislation crowdsourcing). Read more about it on their post explaining the CrunchGov roll-out as well as their methodology/FAQ behind the site.
The “I Know…” series of blog posts shows relatively simple tricks [malicious] websites can use to coax a browser into revealing information that it probably should not. Firewalls, anti-virus software, anti-phishing scam black lists, and even patching your browser was not going to help.
Fortunately, if you are using one of today’s latest and greatest browsers (Chrome, Firefox, Internet Explorer, Safari, etc.), these tricks, these attack techniques, mostly don’t work anymore. The unfortunate part is that they were by no means the only way to accomplish these feats.
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.
The article goes pretty in-depth into the hacking/cracking methods used, but the early parts and the very end should be enough for the less technical folks. This is something to keep in mind, both for your personal accounts and anything you’re responsible for at your library/workplace.
Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. But the problem with the nothing-to-hide argument is the underlying assumption that privacy is about hiding bad things. By accepting this assumption, we concede far too much ground and invite an unproductive discussion about information that people would very likely want to hide. As the computer-security specialist Schneier aptly notes, the nothing-to-hide argument stems from a faulty “premise that privacy is about hiding a wrong.” Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.
Yet another problem with government gathering and use of personal data is distortion. Although personal information can reveal quite a lot about people’s personalities and activities, it often fails to reflect the whole person. It can paint a distorted picture, especially since records are reductive—they often capture information in a standardized format with many details omitted.
For example, suppose government officials learn that a person has bought a number of books on how to manufacture methamphetamine. That information makes them suspect that he’s building a meth lab. What is missing from the records is the full story: The person is writing a novel about a character who makes meth. When he bought the books, he didn’t consider how suspicious the purchase might appear to government officials, and his records didn’t reveal the reason for the purchases. Should he have to worry about government scrutiny of all his purchases and actions? Should he have to be concerned that he’ll wind up on a suspicious-persons list? Even if he isn’t doing anything wrong, he may want to keep his records away from government officials who might make faulty inferences from them. He might not want to have to worry about how everything he does will be perceived by officials nervously monitoring for criminal activity. He might not want to have a computer flag him as suspicious because he has an unusual pattern of behavior.
Of course, if this person had borrowed those books from his library, the government wouldn’t have been aware of it. ;) (Leaving aside the fact that books on making meth probably aren’t part of the typical library’s collection…)
I highly recommend reading this entire piece.
Security4Lib is a Drupal based website, wiki and email list for the discussion of issues relating to IT Security in libraries, including, but not limited to, web sites, email, networks, servers, passwords, services, mobile, wifi, and apps.
Social Media Security Basics [infographic]
I don’t know if this will be of use anyone but me, but I was trying to go over the Computers in Libraries sessions (both those I attended and those I didn’t) to find what I could of the presentation slides/handouts/blog posts and I was getting bogged down in links and files, so I made these lists of links. If anyone knows of stuff that could be on here that I missed, do let me know (use the ‘ask me anything’ link).
E204: Google Plus or Google Minus?
Julie Strange (@strnglibrarian)
Joel Shields (@shieldss)
J. Shore (@7shores)
Patricia F. Anderson (@pfanderson) ->virtually
… But the fact that apps must routinely face approval masks how extraordinary the situation is: tech companies are in the business of approving, one by one, the text, images, and sounds that we are permitted to find and experience on our most common portals to the networked world. Why would we possibly want this to be how the world of ideas works, and why would we think that merely having competing tech companies—each of which is empowered to censor—solves the problem?
This is especially troubling as governments have come to realize that this framework makes their own censorship vastly easier: what used to be a Sisyphean struggle to stanch the distribution of books, tracts, and then websites is becoming a few takedown notices to a handful of digital gatekeepers. Suddenly, objectionable content can be made to disappear by pressuring a technology company in the middle. When Exodus International—”[m]obilizing the body of Christ to minister grace and truth to a world impacted by homosexuality”—released an app that, among other things, inveighed against homosexuality, opponents not only rated it poorly (one-star reviews were running two-to-one against five-star reviews) but also petitioned Apple to remove the app. Apple did.
To be sure, the Mac App Store, unlike its iPhone and iPad counterpart, is not the only way to get software (and content) onto a Mac. You can, for now, still install software on a Mac without using the App Store. And even on the more locked-down iPhone and iPad, there’s always the browser: Apple may monitor apps’ content—and therefore be seen as taking responsibility for it—but no one seems to think that Apple should be in the business of restricting what websites Safari users can visit. Question to those who stand behind the anti-Exodus petition: would you also favor a petition demanding that Apple prevent iPhone and iPad users from getting to Exodus’s website on Safari? If not, what’s different, since Apple could trivially program Safari to implement such restrictions? Does it make sense that South Park episodes are downloadable through iTunes, but the South Park app containing the same content was banned from the App Store?
The largest cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs, Acrobat.com, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the web instead of on their individual desktops. Then, of course, there’s social networks, online gaming, and video and music sharing services — all of which rely on a hosted environment that can accommodate millions of users interacting from anywhere on earth, yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:
- The cloud provider is not responsible for securing its customers’ data.
- Attacking a cloud-based service provides an economy of scale to the attacker.
- Mining the cloud provides a treasure trove of information for domestic and foreign intelligence services.
Anyone who uses any sort of cloud service should pay special attention to that first point.