i find myself in a rather odd predicament today. i've been using an older computer (we'll call it one of my secondary computers since it get very little use compared to the one i'm writing this with right now) and i got a pop-up notification that i was running out of space on drive C:.
now i want to put this in context; this computer sees very little use, mostly it gets turn on, has some files transferred to it or from it, and then switched off. i can't remember the last time i actually installed anything on it (for that matter, since i've switched over to using portable software, i can't recall the last time i installed anything on my primary system either) so let's say it's been a really, really long time since i touched the C: drive at all. mostly it's the larger secondary physical disk that gets used.
so you can imagine my surprise when the notification about running low on space popped up. was there something malicious going on? had the system been compromised? no, it was in the process of applying system updates. patches had actually eaten up the majority of my free space - the WINDOWS directory was taking up over 7 gigs of my 10 gig drive. i'm actually in the position where i have to uninstall software so that the patching will succeed.
now, this is an XP system so one might reasonably suggest that i upgrade to the latest version of windows so that i can avoid having all those patches on my system. unfortunately, this system is so old, i doubt it will meet the system requirements of anything newer than XP.
one might also, entirely reasonably, suggest upgrading the harddisk to something larger. memory is cheap, after all. it's a little difficult to justify upgrading the drive just to accommodate microsoft's attempts to fix their earlier mistakes, though. it's certainly not like i'm going to get any additional benefit from greater space on a drive i never make use of.
one could even go so far as to suggest upgrading all the things so that not only would i be able to move to the latest version of windows, i could have more space and a snappier system that is more amenable to being used day to day. but i already have a computer that's more amenable to being used, so really everything that was wrong with the idea of upgrading the drive is also wrong with this plan, in spades.
it's times like this that make one question things we normally take for granted, like why does it patching take so much space? is the fixed binary that much larger than the one with the error in it? no, that doesn't appear to be what's going on. it appears that windows keeps a bunch of stuff around so that you can uninstall the patch if you want to. does anyone ever actually do that? there may be a way to reclaim the space those uninstall files take up, but it's not obvious just by looking at the system, and right now simply letting the updates happen the way an ordinary user would is actually reducing the utility of the system.
thankfully the utility that's been lost wasn't really needed anymore. but what about next time? support for XP is ending, but it's not over yet, there are still more patches coming. i'm going to be facing the prospect of no longer getting patches anyway, so i might as well get used to it early - and since the system is little more than a network attached storage device that spends most of it's time powered off, i can't really see the harm.
in security, we normally think of applying patches as a no-brainer. it may present some logistical hurdles in the enterprise, but it still needs to get done. sometimes, though, there are cases where it just doesn't pay off. no practice is so universally beneficial that it should be mindlessly applied 100% of the time.
Monday, February 20, 2012
Sunday, February 12, 2012
is the iphone really malware free?
friday morning mikko hypponen posted a tweet about the folks behind flexispy changing the look of their site, and i took the opportunity to pose a question to him about iphone malware. you see, flexispy is (or was) a piece of mobile malware that f-secure posted about about 6 years ago. not only that, but there's a version of the software for the iphone, so i found mikko's repeated statement that there was no malware for the iphone to be a little strange in light of the fact that both he and his company have been aware of software that seems to contradict that claim for quite some time.
the resulting discussion with both mikko and his colleague sean sullivan lead in 2 separate directions, so let's look at them in turn. first mikko responded with the following:
so what people really mean when they say no malware for the iphone is that there's no malware in the app store. this is an important distinction, because the iphone ecosystem (and by extension, the threat landscape) extends beyond the app store. when chris di bona attempted to downplay the threat malware played to android devices by pointing to google's efforts to keep their android marketplace clean, a number of folks were quick to point out that the android ecosystem extended beyond google's android marketplace, so it seems strange that people would forget the same line of reasoning applies to the iphone as well.
one other thing (well, the only other thing, really) that mikko said was:
but such unqualified claims are, as mikko has revealed, not technically true. it's not that there's no malware for iphones, it's that there's no malware in the iphone app store.
but wait, is that really true? is there no malware in the app store at all? i'm not sure that's true when we've recently been made aware of apps in the app store that collect and send personal information to a remote server without the user's knowledge or consent. but it's about time i turned my attention towards the much more verbose and nuanced discussion that sean sullivan and i had on the subject. perhaps he can shed light on why these personal info stealing apps shouldn't be considered malware. while mikko didn't question the classification of flexispy as malware, sean informed me that f-secure no longer calls it malware.
why exactly that stops it from being malware in general or spyware in particular in the context of mobile device security i still can't fathom, but sean offered up two things by way of explanation. one being a concern over being sued... by malware vendors. this rationale is something i heard from dr. solomon years and years ago, but i have to admit i had hoped that the industry had become less spineless in the interim. i guess that was too much to hope for. google may stand up to the government on behalf of it's users (perhaps not always, and perhaps it doesn't always succeed, but it has tried), but apparently anti-malware vendors only stand up for their users when there's zero risk they'll be challenged.
the other thing he offered was the following definition of spyware from google:
now, sean also pointed me towards the anti-spyware coalition's risk model description document. i had hoped it would help me to learn more about this "self-install" concept that sean assured me was part of an industry agreed upon standard definition. things didn't turn out that way, since the term "self-install" doesn't appear in that document, but the topic of installation and distribution do figure prominently in the contexts of both risk factors and consent factors. unfortunately this document from 2007 appears once again to be geared to desktop computing rather than mobile computing. that's probably not too surprising considering it's 5 years old now, but it does highlight the age old problem of letting context into the classification process. mobile devices are easier to gain illicit physical access to, as well as being shared more freely (and more frequently) in social circumstances by their owners. the issue of consent at the point of install has far less significance as a risk mitigation for mobile devices. furthermore, the issue of consent at the point of install pretty clearly drops the ball in the case of trojans because it's not necessarily fully informed consent.
as the risk model description document demonstrates, somewhere along the line the industry gave up on basing it's classification system on functional definitions. sean insists that this is a "stricter process" but i think it's more correct to say that it utilizes more criteria than a functional definition system would. utilizing more criteria doesn't always lead to a stricter process because not all criteria are created equal and, at least in the case of the risk model description document, some of those criteria are used to create exceptions (which are generally not the hallmark of a strict process).
one of the last things sean wondered is how could the AV industry possibly use my (supposedly) broader definition(s) and not be accused of FUD. now, aside from the fact that the industry is already accused of FUD (and worse) pretty much regardless of what they do, i think it's important to spell out one of the key differences between a functional definition and the kind of definitions that sean sees in use. definitions that include contextual evaluation are judgements, they engender choice and leave room for agendas. a functional definition has no judgement, it is purely descriptive of the functional capabilities of what is being classified. you can no more be blamed for saying software that spies is spyware than you can for saying water is wet or the sky is blue. there's no silver bullet to make accusations go away, but if you take judgement out of the equation it should render those accusations baseless.
so why is all of this important? because it appears that we've somehow stumbled upon a way in which malware can be classified as "riskware" instead of malware. nobody hears about the riskware classification, nobody cares. they hear "No malware for iPhones" and they shut the rest out because that's all they needed to know (or at least according to traditional notions of malware that should have been all they needed to know). classifying malware as something other than malware seems to be what's enabling people to make the "No malware for iPhones" claim, like some kind of terminological shell game. "No malware for iPhones" makes people think the devices are safe and worry free, but there are risks, and not just for those who jailbreak."No malware for iPhones" is creating a false sense of security and with the revelations that have been made about apple's abject failure to lock down a particular type of personal information and the near ubiquitous exploitation of that failure by app developers, it seems like the stuff of snake-oil.
i tend to think that when people face risks they want to know about them rather than be told there's nothing to worry about, and i tend to think that when those risks come in the form of software that acts against the user's interests, informing the user is the AV industry's job. some people don't want that to happen, they want their own interests to take precedent. if the AV industry allows that to happen through inaction (or worse, facilitates it) then they don't deserve the reputation they have for protecting the user. the industry may not be able to put AV software on iphones yet, but they can certainly do a better job of raising awareness of the risks than going around telling people there's "No malware for iPhones". maybe when public awareness is raised apple will change their ways.
the resulting discussion with both mikko and his colleague sean sullivan lead in 2 separate directions, so let's look at them in turn. first mikko responded with the following:
@imaguid No malware for iPhones. If you jailbreak your phone: all bets are off. Flexispy runs on jailbroken only.now to me, this gets to one of the hearts of the matter. when people say there's no malware for the iphone, they're only talking about non-jailbroken phones. the pertinent difference between a normal iphone and a jailbroken iphone is that normal iphones can only install apps from the app store. the app store is a so-called walled garden where all the apps go through a screening process to keep out undesirable programs.
so what people really mean when they say no malware for the iphone is that there's no malware in the app store. this is an important distinction, because the iphone ecosystem (and by extension, the threat landscape) extends beyond the app store. when chris di bona attempted to downplay the threat malware played to android devices by pointing to google's efforts to keep their android marketplace clean, a number of folks were quick to point out that the android ecosystem extended beyond google's android marketplace, so it seems strange that people would forget the same line of reasoning applies to the iphone as well.
one other thing (well, the only other thing, really) that mikko said was:
@imaguid ...and to top it all: we couldn't do anything about iPhone malware anyway, as Apple won't allow Antivirus products to iPhone.and you know what? why should they allow them when there's apparently "No malware for iPhones"? whether or not there is malware for the iphone, apple doesn't want people to think there is. there is this (rather old) idea that computers can be as easy to use as an appliance (like a toaster). this idea is actually very appealing. it promises computers that just work, computers that don't get malware, computers that are easy and safe and worry free. that promise is part of the secret sauce behind apple's marketing, but if they allowed AV products in then it would dispel the illusion of the appliance computer and apple's products would lose their lustre. it's very convenient, then, that AV vendors are willing to be complicit in apple's marketing by repeating the claim that there's "No malware for iPhones".
but such unqualified claims are, as mikko has revealed, not technically true. it's not that there's no malware for iphones, it's that there's no malware in the iphone app store.
but wait, is that really true? is there no malware in the app store at all? i'm not sure that's true when we've recently been made aware of apps in the app store that collect and send personal information to a remote server without the user's knowledge or consent. but it's about time i turned my attention towards the much more verbose and nuanced discussion that sean sullivan and i had on the subject. perhaps he can shed light on why these personal info stealing apps shouldn't be considered malware. while mikko didn't question the classification of flexispy as malware, sean informed me that f-secure no longer calls it malware.
@imaguid @mikko But they then added an installation interface, and we have since categorized it as riskware.that's right - in spite of the fact that it is designed and marketed as a tool for spying on other people, it is not classified as spyware or malware because it was given an installation interface - meaning that the attacker has to have physical control of the phone for at least as long as it takes to install an app. now, on the desktop this might be a meaningful mitigating factor, but on mobile devices where physical access is so much easier to achieve? come on...
why exactly that stops it from being malware in general or spyware in particular in the context of mobile device security i still can't fathom, but sean offered up two things by way of explanation. one being a concern over being sued... by malware vendors. this rationale is something i heard from dr. solomon years and years ago, but i have to admit i had hoped that the industry had become less spineless in the interim. i guess that was too much to hope for. google may stand up to the government on behalf of it's users (perhaps not always, and perhaps it doesn't always succeed, but it has tried), but apparently anti-malware vendors only stand up for their users when there's zero risk they'll be challenged.
the other thing he offered was the following definition of spyware from google:
Software that self-installs on a computer, enabling information to be gathered covertly about a person's Internet use, passwords, etc.apparently it's not enough that the software spies on you in order for it to be called spyware, it has to "self-install" as well. now i'm sure i must be missing something, because this definition seems to exclude anything where the victim is socially engineered into installing the software (it's hard to call it self-installing if the victim is the one installing it). it also seems to exclude anything that utilizes the particular trojan horse case where the software actually does perform the function it claims to, so the payload is additional functionality instead of strictly misrepresented functionality. a game that also steals passwords, a text editor that also sniffs network traffic, webcam software that just happens to send the video stream to a second undisclosed location in addition to the intended recipient - all of these are examples of software that ought to be called spyware but which the victim actually knowingly installs (because the undesirable functionality is unreported) and thus fails to meet the "self-install" criteria. this is precisely the type of situation users of the photo sharing iphone app called path faced.
now, sean also pointed me towards the anti-spyware coalition's risk model description document. i had hoped it would help me to learn more about this "self-install" concept that sean assured me was part of an industry agreed upon standard definition. things didn't turn out that way, since the term "self-install" doesn't appear in that document, but the topic of installation and distribution do figure prominently in the contexts of both risk factors and consent factors. unfortunately this document from 2007 appears once again to be geared to desktop computing rather than mobile computing. that's probably not too surprising considering it's 5 years old now, but it does highlight the age old problem of letting context into the classification process. mobile devices are easier to gain illicit physical access to, as well as being shared more freely (and more frequently) in social circumstances by their owners. the issue of consent at the point of install has far less significance as a risk mitigation for mobile devices. furthermore, the issue of consent at the point of install pretty clearly drops the ball in the case of trojans because it's not necessarily fully informed consent.
as the risk model description document demonstrates, somewhere along the line the industry gave up on basing it's classification system on functional definitions. sean insists that this is a "stricter process" but i think it's more correct to say that it utilizes more criteria than a functional definition system would. utilizing more criteria doesn't always lead to a stricter process because not all criteria are created equal and, at least in the case of the risk model description document, some of those criteria are used to create exceptions (which are generally not the hallmark of a strict process).
one of the last things sean wondered is how could the AV industry possibly use my (supposedly) broader definition(s) and not be accused of FUD. now, aside from the fact that the industry is already accused of FUD (and worse) pretty much regardless of what they do, i think it's important to spell out one of the key differences between a functional definition and the kind of definitions that sean sees in use. definitions that include contextual evaluation are judgements, they engender choice and leave room for agendas. a functional definition has no judgement, it is purely descriptive of the functional capabilities of what is being classified. you can no more be blamed for saying software that spies is spyware than you can for saying water is wet or the sky is blue. there's no silver bullet to make accusations go away, but if you take judgement out of the equation it should render those accusations baseless.
so why is all of this important? because it appears that we've somehow stumbled upon a way in which malware can be classified as "riskware" instead of malware. nobody hears about the riskware classification, nobody cares. they hear "No malware for iPhones" and they shut the rest out because that's all they needed to know (or at least according to traditional notions of malware that should have been all they needed to know). classifying malware as something other than malware seems to be what's enabling people to make the "No malware for iPhones" claim, like some kind of terminological shell game. "No malware for iPhones" makes people think the devices are safe and worry free, but there are risks, and not just for those who jailbreak."No malware for iPhones" is creating a false sense of security and with the revelations that have been made about apple's abject failure to lock down a particular type of personal information and the near ubiquitous exploitation of that failure by app developers, it seems like the stuff of snake-oil.
i tend to think that when people face risks they want to know about them rather than be told there's nothing to worry about, and i tend to think that when those risks come in the form of software that acts against the user's interests, informing the user is the AV industry's job. some people don't want that to happen, they want their own interests to take precedent. if the AV industry allows that to happen through inaction (or worse, facilitates it) then they don't deserve the reputation they have for protecting the user. the industry may not be able to put AV software on iphones yet, but they can certainly do a better job of raising awareness of the risks than going around telling people there's "No malware for iPhones". maybe when public awareness is raised apple will change their ways.
 |
| image from secmeme.com |
Tuesday, December 27, 2011
the problem with the "like" trade
earlier today randy abrams posted an interesting take on facebook advertising and how misleading the word "like" can be (http://randy-abrams.blogspot.com/2011/12/facebook-misleading-advertising.html). this reminded me of a beef that i've apparently had going back at least as far as may of this year (judging by the timestamp on the screenshot i took).
specifically, randy said the following:
now, i'm not trying to suggest that security companies making use of this marketing methodology are scam artists (though i am tempted to say that all marketing is in some way a scam) but they should be aware that by utilizing this sort of marketing they are effectively endorsing a marketing methodology (developed by facebook) that breeds victims. i don't expect facebook to care about such things, since such trickery is how they make their money, but i certainly expect security companies (especially ones with as strong a leaning towards empowering users as eset) to know better than to go along with facebook's questionable methods and do things like this:
"like"s are not something to be bought from users in exchange for free or otherwise tempting content. they are an endorsement and as such can't be legitimate until after the user has sampled the content. the idea of exploiting illegitimate user endorsements should be recognized as unethical and should be understood to have consequences. by using the sort of techniques that scam artists thrive on, one is basically training people to be victims. i expect better from security companies and i think you should too.
specifically, randy said the following:
If I have to “like” a page to get the information I want, I don’t have a problem with thatwell, with all due respect to randy, i do have a problem with it. randy makes some good points about the way people's pictures get used in facebook ads when they "like" things, but a point he neglected is that forcing users to "like" or otherwise post about something before they can see the content they've been lured with is a popular tactic in facebook scams.
now, i'm not trying to suggest that security companies making use of this marketing methodology are scam artists (though i am tempted to say that all marketing is in some way a scam) but they should be aware that by utilizing this sort of marketing they are effectively endorsing a marketing methodology (developed by facebook) that breeds victims. i don't expect facebook to care about such things, since such trickery is how they make their money, but i certainly expect security companies (especially ones with as strong a leaning towards empowering users as eset) to know better than to go along with facebook's questionable methods and do things like this:
Sunday, December 04, 2011
privacy in the age of forever
i've written before about what i think privacy is, though classifying it as an obscurity-based strategy for satisfying a basic need for safety was very high level and abstract. it could also be taken the wrong way, since people often think about safety as only applying to their physical person (i.e. physical safety). our physical bodies aren't the only thing we want to keep safe, of course. our families, our property, our reputations, our opportunities, etc. are all things we want to keep safe, all things we want to protect, and all things for which privacy can help offer some protection.
privacy is often described in terms of controlling information but on reading danah boyd's thoughts on privacy i realized it can and should be expressed a different way. controlling information is the means by which privacy is often accomplished, but it's not what privacy is actually about. while i don't agree with the narrow scope boyd used ('asserting control over social situations'), at it's root was a kernel of truth. while the means by which privacy is achieved may be the control of information, the point is the control of outcomes related to that information, whether they be social outcomes, business outcomes, educational outcomes, housing outcomes, health outcomes, political outcomes, legal outcomes, etc.
controlling outcomes is, of course, the point of any strategy. the thing about strategies, though, is that their appropriateness depends heavily on the situation, and what people largely don't realize is that there is a situation which is becoming increasingly ubiquitous under which many traditional privacy strategies don't work very well.
in the online world everything is recorded and stored for consumption at a different time or in a different place. it is essentially a persistent medium through which we can interact with each other. this is a significant point because for most of human history the real world has largely been an ephemeral medium for interaction. our behaviour, the strategies that we develop as we mature in the real world take great advantage of the ephemeral nature of our interactions with others. if you weren't present the day your best friend made a hurtful comment about you to others in your peer group then you missed out, that experience is gone, "you had to be there" as it were. this ephemeral property of the event, the fact that the information only exists in a very particular point in time and space, serves to restrict access to that information to only those who were present at the same point in time and space.
once we start interacting online that ephemeral property ceases to exist, so access to the information that we might have otherwise expected to be restricted due to it's ephemeral nature is no longer restricted in that way. we often don't realize that, however, because we take that 'ephemeral-ness' for granted. it's not easy adapting to a situation where that no longer applies.
for example, imagine for a moment that every word you speak goes into a speech bubble above your head, like in the comic books, except unlike the comics the speech bubble doesn't go away, it stays with you and allows people to read what you said 5 minutes ago or even 5 hours ago. every swear word, every uncharitable thought uttered under your breath in the heat of the moment, everything. can you imagine how you'd adapt to that sort of situation? you'd probably censor yourself a lot more than you currently do - since your utterances have become persistent the natural adaptation that would allow you to continue to control the outcomes associated with what you say is to say far less.
at first blush that might not seem unbearably bad, but let's take things a step farther because that example really only dealt with your words. this time (this is inspired by danah boyd's post, by the way), imagine you are stuck in a very large room and surrounded by everyone you ever have and ever will meet. imagine trying to live your life in this room. how do you play with your toddler in front of your business partner or a potential client? how do you woo your future wife in front of your children or your parents? how do you hang out with your high school friends in front of your future employers? how do you project an image of cool professionalism to people who saw you fall face first in a mud puddle? again, in such a situation, surrounded by people from disparate contexts of your life, the natural adaptation is to reduce the amount of information that you reveal about yourself, but think about those questions; there are certain outcomes that can't reasonably happen without revealing sensitive things about yourself.
these examples may seem absurd, but this is what it means to interact in a persistent medium. anyone, anywhere, at any time can (in theory) see the footprints you've left in that medium. your interactions in a persistent medium transcend time and space, allowing people to effectively 'TiVo' your life (or at least the portion of it that's been recorded).
obviously this represents an unacceptable state of affairs for online interaction. there's very little utility in it if it requires such profound self-censorship. that's the reason that technological privacy controls and privacy settings were invented - to help replace the access control that was lost when the information became recorded. unfortunately the technological controls don't operate the same way that ephemerality does, so trying to achieve a simliar outcome with them is complicated and often not intuitive.
sean sullivan (at least i assume it was that sean) made a post on the f-secure blog that highlighted a talk given by clay shirky where he said (as quoted by sean) that "managing privacy isn't natural". technically what shirky said was that managing privacy settings isn't natural. we manage privacy every day in every interaction we make with others, but managing privacy settings by definition can't be natural because the settings themselves are artificial. this has implications for the kind of privacy one can achieve though managing such settings - it is itself an artificial, man made analog to natural privacy, and prone not only to being incomplete in comparison to it's natural counterpart but also to breaking down as all man made things do.
but as untrustworthy as that sounds, it will have to be good enough, because we can't turn back the hands of time or halt progress. we can't even opt out of the persistent medium. oh, we might get away with staying out of the online world ourselves, but persistence is intruding into the real world more and more. public photography, for example, is turning the public sphere (which used to represent an ephemeral medium) into a much more persistent medium than it used to be. this can be a good thing when it helps to expose things like police brutality, but it poses a not insignificant problem for us as a society.
paul ducklin raised some concerns about this very problem last year on the sophos blog. at the time i didn't think his concept of public privacy made much sense, but when examined through the lens of a traditionally ephemeral medium of interaction being changed into a persistent one without people noticing or appreciating the consequences for their existing privacy strategies, it starts to be clear (to me) that this is a problem that deserves some consideration. i wouldn't consider it an invasion of privacy, per se, but perhaps it would qualify as a subversion of privacy, since it changes the environment to one where the strategies people were using to control outcomes no longer work properly, and it does so without making it clear that that had happened.
are we ready for the implications of living in a world where our actions live on beyond the moment? i don't really know. certainly we can manage our privacy settings online, and maybe we can obscure our identifying features offline (though that may interact poorly with some of our cultural norms) so that public photography becomes less of an issue. i just wonder if explaining to the next generation what it was like before everything became persistent will be the last time we ever get to use the phrase "you had to be there".
privacy is often described in terms of controlling information but on reading danah boyd's thoughts on privacy i realized it can and should be expressed a different way. controlling information is the means by which privacy is often accomplished, but it's not what privacy is actually about. while i don't agree with the narrow scope boyd used ('asserting control over social situations'), at it's root was a kernel of truth. while the means by which privacy is achieved may be the control of information, the point is the control of outcomes related to that information, whether they be social outcomes, business outcomes, educational outcomes, housing outcomes, health outcomes, political outcomes, legal outcomes, etc.
controlling outcomes is, of course, the point of any strategy. the thing about strategies, though, is that their appropriateness depends heavily on the situation, and what people largely don't realize is that there is a situation which is becoming increasingly ubiquitous under which many traditional privacy strategies don't work very well.
in the online world everything is recorded and stored for consumption at a different time or in a different place. it is essentially a persistent medium through which we can interact with each other. this is a significant point because for most of human history the real world has largely been an ephemeral medium for interaction. our behaviour, the strategies that we develop as we mature in the real world take great advantage of the ephemeral nature of our interactions with others. if you weren't present the day your best friend made a hurtful comment about you to others in your peer group then you missed out, that experience is gone, "you had to be there" as it were. this ephemeral property of the event, the fact that the information only exists in a very particular point in time and space, serves to restrict access to that information to only those who were present at the same point in time and space.
once we start interacting online that ephemeral property ceases to exist, so access to the information that we might have otherwise expected to be restricted due to it's ephemeral nature is no longer restricted in that way. we often don't realize that, however, because we take that 'ephemeral-ness' for granted. it's not easy adapting to a situation where that no longer applies.
for example, imagine for a moment that every word you speak goes into a speech bubble above your head, like in the comic books, except unlike the comics the speech bubble doesn't go away, it stays with you and allows people to read what you said 5 minutes ago or even 5 hours ago. every swear word, every uncharitable thought uttered under your breath in the heat of the moment, everything. can you imagine how you'd adapt to that sort of situation? you'd probably censor yourself a lot more than you currently do - since your utterances have become persistent the natural adaptation that would allow you to continue to control the outcomes associated with what you say is to say far less.
at first blush that might not seem unbearably bad, but let's take things a step farther because that example really only dealt with your words. this time (this is inspired by danah boyd's post, by the way), imagine you are stuck in a very large room and surrounded by everyone you ever have and ever will meet. imagine trying to live your life in this room. how do you play with your toddler in front of your business partner or a potential client? how do you woo your future wife in front of your children or your parents? how do you hang out with your high school friends in front of your future employers? how do you project an image of cool professionalism to people who saw you fall face first in a mud puddle? again, in such a situation, surrounded by people from disparate contexts of your life, the natural adaptation is to reduce the amount of information that you reveal about yourself, but think about those questions; there are certain outcomes that can't reasonably happen without revealing sensitive things about yourself.
these examples may seem absurd, but this is what it means to interact in a persistent medium. anyone, anywhere, at any time can (in theory) see the footprints you've left in that medium. your interactions in a persistent medium transcend time and space, allowing people to effectively 'TiVo' your life (or at least the portion of it that's been recorded).
obviously this represents an unacceptable state of affairs for online interaction. there's very little utility in it if it requires such profound self-censorship. that's the reason that technological privacy controls and privacy settings were invented - to help replace the access control that was lost when the information became recorded. unfortunately the technological controls don't operate the same way that ephemerality does, so trying to achieve a simliar outcome with them is complicated and often not intuitive.
sean sullivan (at least i assume it was that sean) made a post on the f-secure blog that highlighted a talk given by clay shirky where he said (as quoted by sean) that "managing privacy isn't natural". technically what shirky said was that managing privacy settings isn't natural. we manage privacy every day in every interaction we make with others, but managing privacy settings by definition can't be natural because the settings themselves are artificial. this has implications for the kind of privacy one can achieve though managing such settings - it is itself an artificial, man made analog to natural privacy, and prone not only to being incomplete in comparison to it's natural counterpart but also to breaking down as all man made things do.
but as untrustworthy as that sounds, it will have to be good enough, because we can't turn back the hands of time or halt progress. we can't even opt out of the persistent medium. oh, we might get away with staying out of the online world ourselves, but persistence is intruding into the real world more and more. public photography, for example, is turning the public sphere (which used to represent an ephemeral medium) into a much more persistent medium than it used to be. this can be a good thing when it helps to expose things like police brutality, but it poses a not insignificant problem for us as a society.
paul ducklin raised some concerns about this very problem last year on the sophos blog. at the time i didn't think his concept of public privacy made much sense, but when examined through the lens of a traditionally ephemeral medium of interaction being changed into a persistent one without people noticing or appreciating the consequences for their existing privacy strategies, it starts to be clear (to me) that this is a problem that deserves some consideration. i wouldn't consider it an invasion of privacy, per se, but perhaps it would qualify as a subversion of privacy, since it changes the environment to one where the strategies people were using to control outcomes no longer work properly, and it does so without making it clear that that had happened.
are we ready for the implications of living in a world where our actions live on beyond the moment? i don't really know. certainly we can manage our privacy settings online, and maybe we can obscure our identifying features offline (though that may interact poorly with some of our cultural norms) so that public photography becomes less of an issue. i just wonder if explaining to the next generation what it was like before everything became persistent will be the last time we ever get to use the phrase "you had to be there".
Thursday, November 03, 2011
thoughts on metasploit's impact
i listened to the network security podcast #257 this afternoon, specifically because i wanted to hear what martin mckeay, josh corman, and hd moore had to say about metasploit and what josh corman calls HD Moore's Law. there were a lot of mentions of PCI and being 'this tall to ride the internet', but the comment that really caught my ear (i was listening to it rather than reading it after all) was that metasploit allows people to test their security against the attacks that are readily available.
and then a voice in the back of my head said "yeah, but metasploit is what makes those attacks readily available". it's essentially equivalent to saying that the readily available attacks allow people to test their security against the readily available attacks - i believe the way the internet identifies such tautologies these days is by saying "obvious statement is obvious".
one of the interesting things josh corman brought to the conversation was a breakdown of adversary classes (i encourage you to read his post that i linked to above, not only for that breakdown but also a visualization of their relative success rates against a scale of defender strengths) and it occurs to me that, in the absence of metasploit, these so-called readily available attacks that are in the hands of the casual attacker wouldn't generally be in the hands of the casual attacker (and thus wouldn't be the readily available attacks) but rather in the hands of adversaries of a higher calibre.
one thing that isn't really mentioned but seems fairly obvious is that the higher up you go on the scale of adversary classes, the smaller the population will be (the more skills one has the rarer one becomes) and consequently the smaller the aggregate pool of practical targets will be (since there's a limit to what any one given person can pull off in a given period of time, the manpower available to an attacker is a finite resource). that means that in the absence of metasploit, these attacks would be directly impacting fewer systems - probably more important systems, but fewer systems in total.
now before i go any further, lets address an assumption i've made. i think it's an obvious one. you've probably had it on the tip of your tongue for at least the past two paragraphs. the assumption is that in the absence of metasploit nothing else would pop up to take it's place. for my purposes, that's actually not so much an assumption as it is an ideal starting point or degenerate case from which to build a more complex model.
so let's say that another group of well-meaning researchers decided to pick up the gauntlet. i see no intrinsic difference between that hypothetical case and the actual case we have with metasploit right now. that makes it really not that interesting an alternative, because it's not really alternative in any meaningful sense. the more interesting alternative lies in the argument that if the good guys didn't do it, if they were all too principled (for lack of a better word) to follow that path, then the bad guys certainly would.
so in that case let's say a group of ne'er do wells decided to produce a similar tool. would it be the same? would it have the same properties and present the same problems? i would argue that it wouldn't - that the incentives in the underground community are different enough that what would be produced either would not be free (and therefore not available to all casual adversaries) or it would not be as capable as metasploit would have been (perhaps because the best exploits would get held back in order to give the developers a competitive or strategic advantage over the attackers they're helping for free). the motive of doing it for the benefit of everyone (that drives the excellence found in the free edition of metasploit) simply isn't compatible with financially motivated cybercrime. greed and selflessness don't mix, so a criminal-driven equivalent to metasploit wouldn't lower the bar as far as metasploit does.
so what am i trying to say? what am i really getting at with all of this? the TL;DR version is that the metasploit folks are too nice to people, including the bad guys. the notion that metasploit represents the attacks that are readily available suggests to me that they lower the bar too much. no one seems to disagree that metasploit is a tool that is used by script kiddies (among others) and so i'm left to wonder very seriously whether there's an actual legitimate use case for metasploit that involves such a completely unskilled user. leave no user behind? i think under the circumstances an exception deserves to be made.
and then a voice in the back of my head said "yeah, but metasploit is what makes those attacks readily available". it's essentially equivalent to saying that the readily available attacks allow people to test their security against the readily available attacks - i believe the way the internet identifies such tautologies these days is by saying "obvious statement is obvious".
one of the interesting things josh corman brought to the conversation was a breakdown of adversary classes (i encourage you to read his post that i linked to above, not only for that breakdown but also a visualization of their relative success rates against a scale of defender strengths) and it occurs to me that, in the absence of metasploit, these so-called readily available attacks that are in the hands of the casual attacker wouldn't generally be in the hands of the casual attacker (and thus wouldn't be the readily available attacks) but rather in the hands of adversaries of a higher calibre.
one thing that isn't really mentioned but seems fairly obvious is that the higher up you go on the scale of adversary classes, the smaller the population will be (the more skills one has the rarer one becomes) and consequently the smaller the aggregate pool of practical targets will be (since there's a limit to what any one given person can pull off in a given period of time, the manpower available to an attacker is a finite resource). that means that in the absence of metasploit, these attacks would be directly impacting fewer systems - probably more important systems, but fewer systems in total.
now before i go any further, lets address an assumption i've made. i think it's an obvious one. you've probably had it on the tip of your tongue for at least the past two paragraphs. the assumption is that in the absence of metasploit nothing else would pop up to take it's place. for my purposes, that's actually not so much an assumption as it is an ideal starting point or degenerate case from which to build a more complex model.
so let's say that another group of well-meaning researchers decided to pick up the gauntlet. i see no intrinsic difference between that hypothetical case and the actual case we have with metasploit right now. that makes it really not that interesting an alternative, because it's not really alternative in any meaningful sense. the more interesting alternative lies in the argument that if the good guys didn't do it, if they were all too principled (for lack of a better word) to follow that path, then the bad guys certainly would.
so in that case let's say a group of ne'er do wells decided to produce a similar tool. would it be the same? would it have the same properties and present the same problems? i would argue that it wouldn't - that the incentives in the underground community are different enough that what would be produced either would not be free (and therefore not available to all casual adversaries) or it would not be as capable as metasploit would have been (perhaps because the best exploits would get held back in order to give the developers a competitive or strategic advantage over the attackers they're helping for free). the motive of doing it for the benefit of everyone (that drives the excellence found in the free edition of metasploit) simply isn't compatible with financially motivated cybercrime. greed and selflessness don't mix, so a criminal-driven equivalent to metasploit wouldn't lower the bar as far as metasploit does.
so what am i trying to say? what am i really getting at with all of this? the TL;DR version is that the metasploit folks are too nice to people, including the bad guys. the notion that metasploit represents the attacks that are readily available suggests to me that they lower the bar too much. no one seems to disagree that metasploit is a tool that is used by script kiddies (among others) and so i'm left to wonder very seriously whether there's an actual legitimate use case for metasploit that involves such a completely unskilled user. leave no user behind? i think under the circumstances an exception deserves to be made.
Wednesday, October 26, 2011
marketing bullshit isn't just from marketing departments
so apparently there's a conference going on right now called hacker halted. i heard mention of it a few days ago but paid little attention because frankly there are just too many security conferences to keep track of. what piqued my interest yesterday, however, was a retelling of something george kurtz is supposed to have said in one of the keynotes at the conference - specifically, he's quoted as saying the following (from @InfosecurityMag's tweet)
imagine my surprise to discover george kurtz is actually the chief technology officer at mcafee, of all places. would such a highly titled representative of an AV company really say such a bizarre thing? well, if symantec's CEO can claim the virus problem is solved, then i guess so, but it still begs the question "what was he thinking?"
thankfully rik ferguson managed to tease a little something extra out of george on twitter
no, he didn't actually say 'mcafee is the solution, buy mcafee' (to the best of my knowledge), but that is the reality distortion he's setting up - and distorting reality that way is the hallmark of marketing. all that remains is to publicly declare that deepsafe (their hardware assist technology that they announced over a month ago) is how you "move beyond signatures" and the marketing message will be complete with reality suitably distorted to mcafee's benefit and everyone else's detriment.
now you might be thinking to yourself that this can't be true, that such a highly placed and well respected security expert would never stoop to such base gamesmanship. the fact is that not only do most public faces of the industry practice marketing regularly in the process of representing their respective companies, but most high profile speakers rise above the rest not strictly by merit but by effectively selling themselves and building their personal brands - and if they have to stretch the truth or fuzz the facts or distort reality to make their message more palatable to the masses and give themselves more cache and influence, then so be it.
and the unfortunate consequence of this is that, due to the fact that the rest of us rely on such speakers to inform us, much of what the majority of us know about the the subject matter in question is actually somewhat wrong in subtle (or not so subtle) ways. reality distortion interferes with the formation of accurate mental models and that in turn interferes with people's ability to deal with the parts of the real world those models are supposed to represent. one of the things i've tried to impress on people in the past is that they need to stop listening to marketing, but i realize now that i don't have an easy method for them to recognize it in the first place. at least not without developing much more thorough knowledge than they currently have, and to do so without relying on apparent authorities on the subject in question is no easy task.
no, marketing bullshit isn't restricted to the glossy pages of a magazine or the cover of a box or an ad on tv. it's not just the product of marketing departments. it's woven into the very fabric of what we think we know, and it's hurting us.
industry has to move beyond signatures and customers need to demand this from the vendors. We need to change and adaptnow i have to admit i had no idea who george kurtz was. fact of the matter is i have no idea who most people in the security field are (so if you're wondering why i don't follow you back on twitter or add you to a circle on google+, that's a strong contender for the reason why). i thought he was just some crank talking about things he didn't really know much about (more common than you might think, unfortunately) because the AV industry hasn't been relying exclusively on signatures for quite a long time.
imagine my surprise to discover george kurtz is actually the chief technology officer at mcafee, of all places. would such a highly titled representative of an AV company really say such a bizarre thing? well, if symantec's CEO can claim the virus problem is solved, then i guess so, but it still begs the question "what was he thinking?"
thankfully rik ferguson managed to tease a little something extra out of george on twitter
George Kurtz woke up in 2008 today "industry has to move beyond signatures". Helloooo? McFly?
@rik_ferguson maybe you missed the part about the hardware assisted security. Opps.. forgot you don't really have that at Trend.and there we have it; the quote that people are fawning over (or scratching their heads over) was actually marketing bullshit. oh sure, on the the surface it looks like an AV big wig eating crow and admitting that his company isn't doing a good enough job and needs to improve; just the kind of frank confession we're all waiting for the AV industry to make. but with this added wrinkle we see that's not it at all. george's company supposedly already has improved and it's everybody else who still has the problem. mcafee has this licked, mcafee is the solution, buy mcafee.
no, he didn't actually say 'mcafee is the solution, buy mcafee' (to the best of my knowledge), but that is the reality distortion he's setting up - and distorting reality that way is the hallmark of marketing. all that remains is to publicly declare that deepsafe (their hardware assist technology that they announced over a month ago) is how you "move beyond signatures" and the marketing message will be complete with reality suitably distorted to mcafee's benefit and everyone else's detriment.
now you might be thinking to yourself that this can't be true, that such a highly placed and well respected security expert would never stoop to such base gamesmanship. the fact is that not only do most public faces of the industry practice marketing regularly in the process of representing their respective companies, but most high profile speakers rise above the rest not strictly by merit but by effectively selling themselves and building their personal brands - and if they have to stretch the truth or fuzz the facts or distort reality to make their message more palatable to the masses and give themselves more cache and influence, then so be it.
and the unfortunate consequence of this is that, due to the fact that the rest of us rely on such speakers to inform us, much of what the majority of us know about the the subject matter in question is actually somewhat wrong in subtle (or not so subtle) ways. reality distortion interferes with the formation of accurate mental models and that in turn interferes with people's ability to deal with the parts of the real world those models are supposed to represent. one of the things i've tried to impress on people in the past is that they need to stop listening to marketing, but i realize now that i don't have an easy method for them to recognize it in the first place. at least not without developing much more thorough knowledge than they currently have, and to do so without relying on apparent authorities on the subject in question is no easy task.
no, marketing bullshit isn't restricted to the glossy pages of a magazine or the cover of a box or an ad on tv. it's not just the product of marketing departments. it's woven into the very fabric of what we think we know, and it's hurting us.
Friday, September 23, 2011
facebook's ticker: a ticking privacy timebomb?
there's a lot of pixels and bits being dedicated to the major changes that are underway at facebook, but most of the attention seems to be focused on the timeline feature. i tend to think the ticker feature deserves a lot more attention and, frankly, concern.
first off, it seems clear that facebook wants to be the destination for an ever increasing number of activities - not just farmville or mafia wars, but consuming print, audio, and video media, and even purchasing goods too. fine, facebook wants to be the web portal to end all web portals - the next AOL or compuserve - it's fine to have aspirations like that; although actually being AOL or compuserve doesn't seem to have worked out that great for AOL or compuserve in the end.
but with that breadth possible activities in mind, the idea that facebook will now be sharing everything you do automatically seemed really rather stupid to me at first. maybe there is too much friction inhibiting sharing right now, maybe clicking a button isn't easy enough, but truly "frictionless" sharing that happens without any action taken on the user's part takes the intent out of sharing. sharing loses all meaning that way. it no longer tells you the sharer thought this article was insightful or that video was funny, it doesn't give any hint what so ever as to whether the sharer thought something was worthwhile, it just collects everything in one big activity profile. indeed, was the person performing those activities really the sharer in that situation, or is the sharer facebook themselves?
at first you might think that the resulting poor signal/noise ratio would render facebook as irrelevant as myspace and it's blinking, glittery profile pages has become. the folks at facebook seem to have realized this, though. they don't want people's main feeds to get filled with all that noise. they recognize that from a personal interaction standpoint, this data is too voluminous and unimportant. that's why they've relegated the data to a new place - the ticker.
the question you should be asking yourself right now, however, is this: if this data isn't actually useful to users when they're connecting with their friends, why is facebook interested in automatically sharing it? who is interested in that data? the answer is simple - advertisers. a large profile of everything you read, watched, listened to, and did online is for all intents and purposes your web history. in this case it will be your web history as seen through the eyes of facebook. we in the security community get upset about browser vulnerabilities leaking our browser history, or tracking cookies being used to track where we've been; the data collected for ticker is not going to be inherently different than the data acquired through those other means. furthermore, it's too voluminous and granular to be useful to anything other than an automated process that looks for certain types of patterns and trends. the kind of process you'd use for the automated targeting of ads - targeting based on your activities, your behaviour.
the ruse of "frictionless sharing" appears to be a trojan horse (not the malware variety one might traditionally think of, though) for introducing behavioural profiling for the purposes of targeted advertisements. social spyware at it's best.
but even if that's not the case, even if that data really is meant for a user's friends to see and use, there is a profound implication buried in the automated sharing of everything. you can't control your public image if the choice of what you share about yourself is taken away from you. for all the hand wringing recently about the damage that real name policies do (eliminating your ability to control the personal information that your identity represents), the elimination of your ability to control your public image means the elimination of the persona - something that has been part of the social experience of humans since the dawn of mankind if not longer.
our true selves, the nature that we keep hidden behind the masks that we each present the world, is something that we innately keep private. i simply cannot believe that our social norms are headed in the direction of completely removing those social masks. giving up that private information in exchange for access to a service is a privacy bargain that we have never faced before.
so, if you thought the ways facebook could violate our privacy couldn't get much worse, you were dead wrong.
first off, it seems clear that facebook wants to be the destination for an ever increasing number of activities - not just farmville or mafia wars, but consuming print, audio, and video media, and even purchasing goods too. fine, facebook wants to be the web portal to end all web portals - the next AOL or compuserve - it's fine to have aspirations like that; although actually being AOL or compuserve doesn't seem to have worked out that great for AOL or compuserve in the end.
but with that breadth possible activities in mind, the idea that facebook will now be sharing everything you do automatically seemed really rather stupid to me at first. maybe there is too much friction inhibiting sharing right now, maybe clicking a button isn't easy enough, but truly "frictionless" sharing that happens without any action taken on the user's part takes the intent out of sharing. sharing loses all meaning that way. it no longer tells you the sharer thought this article was insightful or that video was funny, it doesn't give any hint what so ever as to whether the sharer thought something was worthwhile, it just collects everything in one big activity profile. indeed, was the person performing those activities really the sharer in that situation, or is the sharer facebook themselves?
at first you might think that the resulting poor signal/noise ratio would render facebook as irrelevant as myspace and it's blinking, glittery profile pages has become. the folks at facebook seem to have realized this, though. they don't want people's main feeds to get filled with all that noise. they recognize that from a personal interaction standpoint, this data is too voluminous and unimportant. that's why they've relegated the data to a new place - the ticker.
the question you should be asking yourself right now, however, is this: if this data isn't actually useful to users when they're connecting with their friends, why is facebook interested in automatically sharing it? who is interested in that data? the answer is simple - advertisers. a large profile of everything you read, watched, listened to, and did online is for all intents and purposes your web history. in this case it will be your web history as seen through the eyes of facebook. we in the security community get upset about browser vulnerabilities leaking our browser history, or tracking cookies being used to track where we've been; the data collected for ticker is not going to be inherently different than the data acquired through those other means. furthermore, it's too voluminous and granular to be useful to anything other than an automated process that looks for certain types of patterns and trends. the kind of process you'd use for the automated targeting of ads - targeting based on your activities, your behaviour.
the ruse of "frictionless sharing" appears to be a trojan horse (not the malware variety one might traditionally think of, though) for introducing behavioural profiling for the purposes of targeted advertisements. social spyware at it's best.
but even if that's not the case, even if that data really is meant for a user's friends to see and use, there is a profound implication buried in the automated sharing of everything. you can't control your public image if the choice of what you share about yourself is taken away from you. for all the hand wringing recently about the damage that real name policies do (eliminating your ability to control the personal information that your identity represents), the elimination of your ability to control your public image means the elimination of the persona - something that has been part of the social experience of humans since the dawn of mankind if not longer.
our true selves, the nature that we keep hidden behind the masks that we each present the world, is something that we innately keep private. i simply cannot believe that our social norms are headed in the direction of completely removing those social masks. giving up that private information in exchange for access to a service is a privacy bargain that we have never faced before.
so, if you thought the ways facebook could violate our privacy couldn't get much worse, you were dead wrong.
Subscribe to:
Posts (Atom)