Archive for the 'security' Category

17
Jun
09

#IranElection

I was thinking about Twitter and Iran and identity yesterday while watching activity on Twitter. First, for the benefit of those living in a cave, Iran had an election, and it appears the results are at odds with public perception. Being effectively a Muslim orthodox theocracy, the population is not given a lot of opportunity to voice displeasure with the government. That being the case, Iranians have been flooding Twitter, Facebook, and YouTube with news, videos, protest information, police activity, etc. The Iranian government is doing their best to lock down access to these web services, but it is difficult. Twitter, especially, has a very open API and a number of ways to receive posts.

Question number 1: How do you sort out the good posts from the bad? Apparently Iranian security forces have created Twitter accounts and are posting false information. I have noticed an increase in the number of spammers using the #IranElection hash as well. In addition to that, requests have been made to all Twitter users to change their profile information to show they are in Tehran and their timezone is +3:30GMT. This is supposed to create additional noise so it is more difficult to determine who is actually in Iran.

Question number 2: Where is the SSL in the 3rd party apps? Twitter and Facebook offer the option for SSL login. I haven’t looked into the API, but I’m not sure if Twitter allows 3rd parties to connect via SSL. Even if they do, how often is the feature used? One of the ways people are filtering noise vs data in the Twitter feed is by looking at when the account was created. If Iran owns the backbone leaving the country, what’s to stop them from sniffing the traffic and hijacking known, trusted accounts? I have some concerns posting this, but, honestly, we don’t get a lot of traffic here. Also, if the Iranian security folks haven’t figured this out yet, then they have way bigger problems on their hands.

Question number 3: Why are major news sources publishing account names when quoting Twitter? I can understand wanting to document where the information came from, and perhaps even keeping records of all the details, but do you need to publish names?

Advertisements
23
Dec
08

Airline Suckurity

Why ship the checked bags with the plane? Why not send them next day to wherever the passenger is going? Drop it off at the curb with an address and ship it. No screening, no worries, take advantage of an existing infrastructure. Fed Ex, UPS, and the USPS have been doing this reliably and cheaply for years. I suspect when all the redundancy is eliminated from the system, and all the extra security measures are dropped, the cost difference would be negligible. This would also cut down on theft. If the bags are sealed up, as the don’t need to be opened to be inspected, it makes it much more difficult to pilfer items from them. Perhaps an industry that isn’t on the ropes may be able to profit by assisting a vital industry that has been in trouble for years.

13
Aug
08

Social networks, worms, and patriotic acts of war

I’ve been following Gadi Evron’s tweets for the past week, starting out with the Facebook worm and going into detail about the faux cyberwar front with Russia accused of attacking Georgia.

It turns out, while a number of Georgian sites were attacked, there is no proof that it was an offical Russian act, or even that the government had anything to do with it. It started out as an ordinary DDOS, but spread with scripts being distributed en masse. Lots of propaganda type stuff feeding off of people’s patriotic tendencies.

This lead me to the idea that it would be very easy for someone to put together a DDOS app for Facebook, MySpace, etc and distribute it very quickly. Things already spread fast there, even without exploiting the undocumented features. If scripts were included to “punish wrongdoers”, what would the implications be?

This could go way beyond nation/state patriotism. It could be used for political, social, or even hoax reasons.

Let me be the first to introduce Script Kiddies to the Facebook Generation.

27
Apr
08

Quick post on corporate suckurity

If these big corporations with tons of resources can’t do the easy stuff properly, how can we expect them to manage the hard stuff?

 

1) Myspace

Where’s the secure login? If they had SSL and certificates it would cut down on phishing and stolen accounts. I’m at a loss. Maybe someone out there can tell me why they haven’t done it.

 

2) Yahoo

They have SSL implemented, but the certificate was expired for quite a while, weeks, if not months. Also, they are cheap. login.yahoo.com has a proper cert attached, but mail.yahoo.com has a cert for login.yahoo.com, too. Come on guys, pony up a couple bucks for another certificate.