security

→ LinkedIn Intro’s security nightmare

→ LinkedIn Intro’s security nightmare:

But what happens when using profiles for non-security, non-enterprise features becomes widespread? Won’t Google, Facebook, Twitter, and just about every social or ad-supported service want the same access to make it easier to mine your private data, spam your contacts, and evade App Store restrictions? It won’t be hard for the big services to come up with compelling features and friendly messaging to get millions of people to install their profiles, too.

[It’s a mess to be sure. Don’t miss the original if you want the nitty gritty.]

Source: Marco.org

Scripting News: The quiet war in tech.

Scripting News: The quiet war in tech.:

I said a while back that if you want to understand politics you have to become deeply immersed in tech. The political reporters and bloggers have been totally too casual about that, even the smart relatively open-minded ones, and that even includes Glenn Greenwald. Is he really prepared to listen to Snowden, or can he just report an approximation of what Snowden tells him? It’s the latter, because as smart as Greenwald is, he hasn’t been spending the last N years schooling himself in the technology that we’ve built our existence around.

So think about it, how are we going to boot up the intelligence we need to make sense of this situation in time to make a difference?

Serious question, and heavy times.

[Go read. Thoughts?]

Source: Scripting News

Verizon and the N.S.A.: The Problem with Metadata : The New Yorker

Verizon and the N.S.A.: The Problem with Metadata : The New Yorker:

But with each technological breakthrough comes a break-in to realms previously thought private. “It’s really valuable for law enforcement, but we have to update the wiretap laws,” Landau said.

It was exactly these concerns that motivated the mathematician William Binney, a former N.S.A. official who spoke to me for the Drake story, to retire rather than keep working for an agency he suspected had begun to violate Americans’ fundamental privacy rights. After 9/11, Binney told me, as I reported in the piece, General Michael Hayden, who was then director of the N.S.A., “reassured everyone that the N.S.A. didn’t put out dragnets, and that was true. It had no need—it was getting every fish in the sea.”

Binney, who considered himself a conservative, feared that the N.S.A.’s data-mining program was so extensive that it could help “create an Orwellian state.”

As he told me at the time, wiretap surveillance requires trained human operators, but data mining is an automated process, which means that the entire country can be watched. Conceivably, the government could “monitor the Tea Party, or reporters, whatever group or organization you want to target,” he said. “It’s exactly what the Founding Fathers never wanted.”

[And hasn’t the attitude in Washington about this been entirely clear? I always worry when someone tells me something is “for my own good.”]

Strongbox and Aaron Swartz : The New Yorker

Strongbox and Aaron Swartz : The New Yorker:

Aaron Swartz was not yet a legend when, almost two years ago, I asked him to build an open-source, anonymous in-box. His achievements were real and varied, but the events that would come to define him to the public were still in his future: his federal criminal indictment; his leadership organizing against the censorious Stop Online Piracy Act; his suicide in a Brooklyn apartment. I knew him as a programmer and an activist, a member of a fairly small tribe with the skills to turn ideas into code—another word for action—and the sensibility to understand instantly what I was looking for: a slightly safer way for journalists and their anonymous sources to communicate.

[An amazing story. What other bits and pieces are hanging around from AS?]

Strobist: How to Avoid Dealing With the Police When Shooting in Public

Strobist: How to Avoid Dealing With the Police When Shooting in Public:

I know my rights. I carry The Card. But I also know that on the street, the police have the ability to wreck a shoot. This one was not time-sensitive, but many are. And even worse, they can write you up, take you in — and even put you on any of a number of secret lists in our new DHS Secret Police State.

I know this because a very good friend of mine asserted his rights to — get this — a rent-a-cop private security consultant while shooting a twilight shot of a hotel during a commercial job. He made the mistake of being near train tracks where, according to the private security guy, the Constitution was no longer in effect.

My friend won the argument, but lost the war. The security guard/terrorist detection specialist turned out to be a vindictive jerk. The photog is now on an “increased scrutiny list” that adds a long and special wait at TSA any time he flies.

That sucks. And it’s not right — or even legal. But that is the environment we are now in. Like it or not, we have to deal with ignorant bystanders and/or ultimately, uniformed police officers potentially screwing up our shoots. Or worse.

[What a mess. But not a bad plan.]

WordPress To Disable Remote Access

WordPress To Disable Remote Access: If this sounds like a pipe dream, it’s worth pointing out that one very popular web service is already employing this strategy, and it works brilliantly. Flickr, Yahoo’s incredibly popular photo sharing site, is built on the very same APIs it makes available to clients. This results in some truly incredible Flickr-enabled applications and web services. And you don’t see any sign of Flickr disabling access to their API, because there’s too much at stake.

If your web service only provides one, first-class API through which all access flows, then you’ve only got one point to secure, you’re likely to have feature parity across interfaces, and the risk of marginalizing one interface is dramatically decreased. [Well put Daniel!]

Macworld: News: With Web 2.0, a new breed of malware evolves

Macworld: News: With Web 2.0, a new breed of malware evolves: Until recently botnets would always look for commands on a pre-allocated IRC (Internet Relay Chat) channel but now distributed RSS-based command-and-control networks are coming into favor, Huang said. This makes it much harder for law enforcement to take down the computers that are actually sending the instructions to the botnet machines.
[Ooops.]

OpenSocial Hacked Again

OpenSocial Hacked Again: He’s pulled up Ning co-founder Marc Andreessen’s friend list to prove his point, and shared part of it with me. I won’t be publishing it here, but it shows that he got access to the application.

Total time to hack iLike on Ning: 20 minutes.

As with the RockYou/Plaxo hack, no real damage has been done, but it shows that in the rush to get applications out the door quickly, attention to security may have fallen by the side of the road. [Oops]
Source: TechCrunch