Thursday, April 26, 2012

VMWare gets jacked...


Today, Virtualization and cloud computing is becoming extremely popular. This article on darkreading.com shows a quote from Eric Chiu, founder and president of a virtualization security firm by the name of HyTrust, stating that “Virtualization is mainstream and over 50 percent of enterprise datacenters are now virtualized” because of this growing usage of virtual machines, it's a growing target for attack from malicious users.

Theft of a portion of VMWare's ESX Hypervisor product is a big deal. VMWare apparently did not offer any clues to how or when the breach occurred, but a hacker has taken credit for the theft, and posted one file worth of source code for public viewing. VMWare officials, the article explains, say that the code is legitimate, but from inspection of the code and the developer comments, they say it dates back to 2003-2004.

VMWare claims that customers should not be concerned about any risks brought about by this theft and broadcast of the code. They stand firm with their philosophy of not using security through obfuscation. Which is to say, keeping source code publicly shared among certain industry partners in order to increase the number of eyes and brains working on making the code as secure as possible.

"VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."

I believe, and have said it many times before, that this is crucial to circumventing problems that present themselves when breaches do happen. This similar situation happened with Symantec's PC Anywhere suite, and they suffered severe public image damage, customer loss, market share damage, and brand loyalty loss due to the vulnerabilities that ensued after a similar breech and broadcast of some of their source code.  Symantec operated on a security through obfuscation, and treated source code as top secret, assuming that if you can't see the code, you can't take advantage of the not-so-ideal coding practices that cause vulnerabilities.

The article explains, and I agree, that it just goes to show you that even the most prepared companies, with balls-to-the-wall security and non disclosure implementations, can still be victim to this type of breach in security. Whether it was due to a great-wall attack, middleman, or simply a social engineering hijack, we do not know, but does it really matter?

Furthermore, this announcement by VMWare bolsters the argument for open source products. A good idea in this day and age of software, in my opinion, is to get as many brains to look at your product's code to increase the angle of perspective, and increase chances of finding flaws and vulnerabilities before they become a real threat to customers.

Posted by No comments:

Facebook and Possible Solutions...


An article from Cnn.com explains the changes Facebook is making to it's Statement of Rights and Responsibilities. It was originally assumed that the changes are being made with the intention of decreasing users' paranoia about how the information and data on their page, as well as their social connections, is being used.

Although these changes and their intentions were explicitly mentioned to benefit the end-user, it just so happens that there are essentially zero changes taking place in how Facebook actually uses and collects data. It is now clear that Facebook only announced it was a change to the “Statement of Rights and Responsibilities” that was occurring, as opposed to a change to the Privacy policy, which is where the terms of data collection and usage is contained.

Many people are concerned with Facebook and how the data could be used, but you must remember that Facebook is a free service, and where they make their money is advertising.  I'm not suggesting that there doesn't need to be any clear terms or opt-out as far as the data mining is concerned. I do believe that internet privacy is a big issue today, and that there needs to be a consensus among the big corporations AND users about how to deal with it. However, I do understand that Facebook does require to use your data for advertising as that is their main revenue source.

Despite Facebook's necessity to use your data in order to increase their bottom line, I believe that fundamental changes can be made in order to ensure a more solid policy of data usage. For example, as opposed to sending data and trends out to advertising companies, delegate the task of 'figuring out what ad you are more likely to click on' to the entity it will appear on.

For example, perhaps Facebook could simply have a list of “major categories” that percentages of their users belong to. Instead of broadcasting specifics about each and every user, give the advertising companies this information, so that they can have several different ads that target certain categories. Then, on the Facebook server, it is determined with random number generators and some algorithm, which advertisement will be shown based on which categories you belong to and which categories of advertisements are in this week's line-up.

I think a solution much like this could be extremely successful and also may instill more competition among advertisers. To me it's like a Pot-Luck dinner. If I am a 'Sports enthusiast' 'Computer Programmer' 'College Student' and 'Socially inclined' for example, there will be a random chance of advertisements that fit these categories being shown on pages I visit. The advertisers would only need to know about the statistics of how accurate the system is, which will in-turn be similar to 'prime-time' advertising. Say for example 70% of users that are “SPORT ENTHUSIASTS” click on 'sport's memorabilia and tickets' advertisements” This would result in competition in the “sport enthusiast” category of advertising thus increasing the prices of putting your advertisement into that week/month's line-up to show these advertisements.  Facebook would then have no reason to broadcast your personal data, only statistically analyze it PRIVATELY and make the findings public to advertisers rather than, for example, using tracking cookies.
Posted by No comments:

Google Drive Incites Paranoia...


Google Drive is undergoing a lot of publicity lately, and it is not due to the amazing innovation in cloud storage, or even because you can get 5gb for free that sync's across all google enabled devices, not in the least bit. It's because the privacy policy is worded in such a way that your documents, content, files, pictures, and any media you that you store in the cloud are now 'owned' by Google.

Though, the policy doesn't explicitly say this, it can be interpreted that way. This article from Cnn.com explains that Google Drive's terms of service states “Google reserves the right to 'use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute” anything that you upload to the Google Drive. Furthermore the 'unified privacy policy' of Google explicitly states that it won't use your content for anything other than “provide, maintain, protect and improve [its services], [and] to develop new ones”

This implies that anything you post, as the article explains, such as a picture could end up on a promotional advertisement. Now your face is blasted across the web, providing revenue to google, with no royalties needed, because the legal terms explicitly state that anything you upload to the Google Drive is subject to this type of use, without additional consent from the user.

In addition to this bypass of consent based usage of your files to 'promote' a Google service, people are worried about just how public this material is. If you consider the Megaupload scandal, the article explains that it's possible for your content on the cloud to be subject to a subpoena and taken off the cloud forever.

In retrospect, the new unified privacy policy that Google introduced months ago, explicitly said that any data gathered from your activity cannot be used cross-service, so it begs the question of – Where is the line drawn for 'cross-service'? Google stated that data gathered from e-mail content within G-Mail wouldn't be used for other services, for example advertising on the Search engine, but it can be used for advertisements in the actual E-Mail interface?

At first I thought the new privacy policy implemented by Google was fairly transparent, but in hindsight the transparency was a farce. Vague interpretations of the words Service, Product and Promotion suggests the need for more intense research and awareness among users, rather than taking the policy at face value.


Posted by No comments:

Wednesday, April 25, 2012

CISPA...


The Stop Online Piracy Act as well as the Protect Intellectual Property Act, SOPA and PIPA, were all the rage over the past few months. These bills were trying to be passed through congress. These two bills and the legislation behind them caused a pandemic of publicity and outrage. There were huge companies behind the support of denying the bill. Google petitions that even I took part in.

Although the bills were unsuccessful in congress, there is another bill in the works that a lot of people don't realize is even worse. It's called the Cyber Intelligence Sharing and Protection Act, CISPA for short.

The Reason why this bill is even worse than SOPA or PIPA is the vague wording in the bill.

Theft of misappropriation of private or government information, intellectual property or personally identifiable material.

This is far too broad of a statement! Protecting from the 'misappropriation'? of intellectual property? So basically if your web site challenges an idea, like Face-book or the government for example and all of the sudden you are there competition, they can take legal action against you and your website. The wording of the bill is vague enough to say that if you are a large corporation, you're on the government's side and are 'protected' under the bill. It is a violation of first amendment rights to freedom of speech, press, and religion.

The difference beteween CISPA and the other bills is that the same big corporations and companies that were against SOPA and PIPA are now in favor of CISPA. The reason for this is explained in this article on PCWorld.com, of course several other sources have been trying to raise awareness on CISPA.

The “Broader information sharing between business and government” is basically a new revenue stream for big information gathering companies like Google and Facebook. This unhindered, and government supported invasion of all privacy is scary to me. Where do we draw the line?  It's all a big rat race for these companies and the money is the driving force for the violation of all of our civil rights, even if it does happen to be on the internet.
Posted by No comments:

Stringrays and feds...


Where is the line drawn for your fourth amendment right? You know the one, it states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Almost everyone has a cell phone these days. A random study I stumbled upon states that even many US third graders (8 years old) have cell phones.

With the massive acceptance and usage of cell phones, would you expect some privacy on those lines? Wouldn't you suppose that a cell phone and a conversation had on one, would be private, aside from maybe a warrant based on probable cause being involved?

Apparently the federal court does not agree. Within the last year a device known as a “Stingray” has been getting a lot of publicity. The way the device works is that it pretends to be a cell phone tower, intercepting signals and initiating handshakes to mobile devices at it's own accord. The device does not actually disrupt but acts as a middle man to cell phone traffic. The government can use these devices to monitor any and all cell phone data and conversations.

This article states that the government insists that stingrays do not infringe on the Fourth Amendment. Their claim is that most people do not have the expectation of privacy so therefore they do not need to acknowledge it as personal property or privacy.

In this day and age of wireless fun, how can you not expect some level of privacy? Literally everyone uses them and for the government legislators to entirely disregard the fourth amendment right is insane to me.
Posted by No comments:
Subscribe to: Posts (Atom)