Cupid’s (Possibly) Poison Arrow

By | November 23, 2011
0 Comment

Could Valentine’s Day be a phishing day? Internet Security Systems, Inc. reckons so, saying in a press release (no URL available yet) that the number of dating sites across the world has increased by 17 per cent within the last twelve months. ISS reckons this rise “is partly attributed to the increase in malevolent websites used by developers of malicious code as an opportune moment for phishing, spam and hacker attacks on unsuspecting victims.”

Having said, that, there doesn’t seem to be a lot of strong evidence presented to back this claim up. “Organised criminal units have in the past timed their attacks to coincide with popular celebration occasions in order to achieve maximum success in compromising the integrity of computer systems,” the press release quotes Gunter Ollman, Director of X-Force at Internet Security Systems. “It is anticipated that Valentine’s Day is a day that is similarly marked on the criminals’ calendar for targeted attacks.” Makes sense, but isn’t this a tad alarmist? Should we ignore every Valentine Card we get (assuming we get any)?

ISS offers the usual suggestions about defending yourself from these poisoned Cupid arrows, as well as pointing out that it can provide its own solution, via a “Proventia Web Filter which blocks unwanted web content, optimises Internet access for employees and prevents any kind of non work related Internet use.”. Yes, of course. Ye old “press release as pitch posing as public service ad” trick.

Given that Internet Security Systems, Inc. has been, according to its own blurb, “an established world leader in security since 1994”, I guess I’d expect to see a bit more hard data to back up this kind of scaremongering. It’s not that I don’t believe that scumbags will use Valentine’s Day as a social engineering tool to pry open your gullibility, but I’m not sure security companies should just throw out warnings like this without more carefully callibrated data to justify it. Where is all the data about previous year’s attacks along these lines? Where are the examples to illustrate the problem, and the sophistication of the bad guys? What kind of data are they after? We deserve to be told if we’re going to bin potentially our only chance at happiness.

Morph: Where You Sit

By | November 23, 2011
0 Comment

I’ve been invited to join a bunch of interesting folk blogging at the Media Center Conversation, “a global, cross-sector exploration of issues, trends, ideas and actions to build a better-informed society. It’s a collaborative project that rips, mixes and mashes people from radically different spheres of activity and thought to share and learn from each other.” The idea is to “explore how society informs itself, tells its story and creates the narrative from which we extract context and meaning about our world, our neighbors and ourselves. From this exploration we seek to connect people and opportunities, to incubate ideas – and to stimulate projects and action.”

Here’s an excerpt form my first contribution: Where You Sit:

Where you are influences what you write.

I write a technology column for the online and Asian editions of The Wall Street Journal, based in the Indonesian capital of Jakarta. Even my boss sometimes asks me why I don’t move to some geeky centre like Singapore, Hong Kong, Tokyo, Seoul or Taipei.

Last time he was in town I was trying to explain to him — the diversity, the perspective it lends to geeky gadgetry fiddling with my Treo as a prematurely old woman drags a truck-sized cart of grass past my taxi window, the wow! factor when technology really does work in the real world — when a terrorist bomb went off outside an embassy less than a mile away. That stopped our conversation before I had really gotten into gear. Nothing like a bomb blast to break the mood.

Yes, I know it’s awful to quote oneself, but I just wanted to show you I’m staying busy. And actually there are some interesting folk posting to the blog, so you can ignore my stuff and read theirs if you prefer.

Google Talk May Not Be As Cheap As You Think

By | November 23, 2011
3 Comments

We should probably start being more careful about what we wish for. Google Talk is now offering, apparently because of public demand, histories of chats stored in your Gmail account. Useful stuff. But accessing those histories will involve seeing contextual ads next to them, as per ordinary Gmail messages.

The relevant part of the FAQ says

There are no ads in your chat sessions or your Quick Contacts list. Once a chat is saved, however, it becomes just like a Gmail message. And just as you may see relevant ads next to your Gmail messages, there now may be ads alongside your saved chats. Ads are only displayed when you’re viewing a saved chat, and as with all ads in Gmail, they are matched entirely by computers. Only ads classified as Family-Safe are shown and we are constantly improving our technologies to prevent displaying any inappropriate ads. One of the things many Gmail users have told us is how much they appreciate the unobtrusive text ads in Gmail, as opposed to the large, irrelevant, blinking banner ads they often see in other services, and many have even cited the usefulness of the ads in Gmail.

It’s a useful feature, but at some point shouldn’t we start asking ourselves whether all this stored information is not a tad dangerous, whether it’s held by Google or anyone else? Already we are a little lax about what we say when we’re emailing people, but this is nothing compared to instant messsaging. A throwaway line in chat will be stored — possibly forever — on someone else’s computer if you chat with them. Now, if you use this Gmail option, another copy will be stored on a computer you’ll never really be able to track down. (This latter element is not the case with Skype, for example, which archives the chats on your own computer.)

Here’s why. Note the changes to the Google Talk Privacy Notice. Notice, among other things, that your Google Talk “personal information” is no longer deleted after a reasonable period — although “activity information” is. Neither of these terms are laid out fully and unequivocably. Even if you do decide to delete chat histories stored in your Gmail account, “because of the way we maintain this service, such deletion may not be immediate, and residual copies may remain on backup systems media.” In other words, don’t assume those chats will ever completely disappear.

This is not just about Gmailing your chat histories. It’s about using chat itself. For a company determined not to do evil, Google is surprisingly coy about what data it stores about you. Look at these changes to the Privacy Policy for example (parentheses indicate removal since the last version of the Policy, underlined text indicates additions):

 When you use Google Talk, [[Google’s servers automatically]] we may record [[certain]] information about your [[use of the service]] usage, such as when you use Google Talk, the size of your contact list and the contacts you communicate with, and the frequency and size of data transfers. Information displayed or clicked on in the Google Talk interface (including UI elements, settings, and other information) is also recorded. [[We delete personal information from the Google Talk logs after a period of time reasonably necessary to do so. ]]

On one hand it’s great that Google shows us what has been changed, deleted or added to its policy. But then again, we’d have found out anyway. And although I want Google’s bots trawling through my half-formed thoughts on chat even less than I want them trawling through my email, this is not really about Google. It’s about us thinking hard about how we treat these tools — email, chat, even VoIP calls or webcam exchanges — when we realise that what we type (or possibly say, or show of ourselves) is going to be stored somewhere, for a long, long time. And one thing we’ve learned in the past few weeks is that ‘not being evil’ is not quite as absolute a conviction as we thought it was.

 

Keeping the Keyloggers out of the Basement

By | November 23, 2011
2 Comments

Here’s a product about to be announced that claims to really protect users against keylogging — when bad guys capture the keystrokes you make and then transmit it back to base: StrikeForce’s WebSecure (PDF file):

The basic idea, StrikeForce’s PR guy Adam Parken tells me, is that “keystrokes are encrypted at the hardware driver and delivered directly to the browser.” This, he says, “gets around the OS, messaging service, etc. where keyloggers normally hide.” It looks a bit like this (from a WebSecure presentation):

Websec

If that makes any sense. The grey boxes are the bits in between the keyboard and the network, and they’re all places that keyloggers hide. Anti-keylogging programs, as I understand them, are usually merely programs that try to guess what’s going on, and, if they see something sleazy, warn the user. Usually this is based on a prior knowledge, or library, of known keyloggers or known keylogging tricks.

WebSecure, instead, according to the press release, “automatically encrypts every keystroke at the keyboard level, then reroutes those encrypted keystrokes directly to the Web browser, bypassing the multiple communication areas that are vulnerable to keylogging attacks.”

WebSecure is going to be demoed at DEMO here sometime in the next 24 hours or so. If they do the job seamlessly and as promised, WebSecure could be quite a useful tool for companies and end users. But it’s an area long tackled and never conquered by security software developers, so I’m not holding my breath.

Opera Gets Widgetized

By | November 23, 2011
0 Comment

The Opera browser continues to impress, even as it becomes less and less relevant in the face of the mighty Firefox. This week Opera’s preview puts widgets on stage according to CNET :

Opera Software on Tuesday plans to release a second preview version of Opera 9, the next version of its namesake Web browser. For the first time, the new version will include support for so-called widgets, Opera representative Thomas Ford said. Widgets are essentially small browser windows that display information taken from the Internet on a user’s desktop. The notion is similar in concept to the widget idea that Apple Computer uses in the Dashboard feature of Mac OS X.

“It is really a big jump for us into Web applications,” Ford said. “They give people the information they want right on the desktop. Even if it is a Web page, people don’t have to go to the browser to see it.”

Actually Windows users have had access to widgets for a while, via Klips and Konfabulator, now bought and rebranded by the folks at Yahoo! as straight Widgets. I’m a big fan of widgets but I find I don’t use them as much as I should. It’ll be interesting to see how Opera handles it. The preview version also includes support for BitTorrent, the file distribution protocol.