The Fresh Round of Twitter Hacks and Attacks

Whenever I talk about security, it is important that I remind you that I write solely my own opinions and not official positions of Intel. Hopefully, you find this useful advice, but that's all it is, advice from someone who is interested in safety.

Well, twitter has been "safe" and quiet for some time. People have begun to let their guard down. However, a new set of vectors for exploits is being mined. It started about a week ago with a tweet exploit that became a worm and spread porn and other unsavory stuff. Now, a second version has appeared. It looks like this new version has been nipped in the bud. However, the risk is ever present. There are people out there looking for security holes and when they find them, either playing pranks or spreading something more vicious.

Sadly, it is the nature of software to have such flaws. Thus, it is only wishful thinking to hope it goes away. We can erect better fences, but there will always be someone who finds out how to scale them and uses that ability to their advantage and our disadvantage. As a result a certain level of caution, vigilance, and even paranoia is appropriate. But do so in balance, if you let fears dominate your life, the result is just as bad, because your fears will cause you to miss opportunities.

So, keep the following in mind. There are people out there who are out to trick you and they are very clever and have very little scruples. These people are anxious to imitate anyone you trust as that's a source of leverage for them. Thus, they will pretend to be your bank, the government, some famous company, your friend, a web site that you often visit, a new web site with an interesting game, anything they think that will get you to trust them They will do this by every means possible: by spam emails, by links to sites that download malware, by sending misleading tweets, by hacking into your computer, by hacking into the computers of places that have your info. The more valuable they think your information is or the easier they think it is to get, the more effort they will spend getting it.

However, in most cases, they are not targeting you specifically, they are just looking for the easiest mark that will fall for their trap. Therein lies your advantage. You don't have to outrun the bear, just the other hikers. This is why fish swim in schools. Sure that makes the entire school a large target and the fish along the edge do get eaten, but the ones in the center tend to survive and breed a new generation. Your goal is to be in the safe part of the school.

Thus, when you read safety advice on the internet, remember that it is not fool-proof. Some people who do everything right will still get hacked. However, it is the best advice we have. It will keep you from doing things that are too risky and too likely to get you into trouble. It will increase your odds of using the internet safely.

See the next entry for some safety advice recommendations.

Common Sense For The Fresh Round of Twitter Hacks and Attacks

Whenever I talk about security, it is important that I remind you that I write solely my own opinions and not official positions of Intel. Hopefully, you find this useful advice, but that's all it is, advice from someone who is interested in safety.

Here are some basic safety principles and examples of their use:

1. Don't trust unsolicited information.
   
   1. If you get an unsolicited email or phone call or direct message or @ message or wall posting etc., don't presume the sender is who they claim to be, especially if they ask you to do something you wouldn't normally do (e.g. give out your bank account number or phone number).
   2. If you do believe that you need to something in response to a message (e.g. you are worried your account might be overdrawn), use an alternate channel for taking action. Don't click on a link embedded in the message. Log into your bank in a separate browser window by typing in the address you know (or have written down from a safe and calm time). Better yet, don't do it online--call or visit your bank.
2. Keep your secrets safe.
   
   1. Don't post details about upcoming trips when you will be away from your house for a significant period of time.
   2. Check that public information sites like spokeo aren't giving out information that can be used to impersonate you.
   3. Don't post pictures of your kids nor give out their names and ages.
   4. Don't post details of your life (or pictures of yourself) that you aren't willing for the world to see. Don't even send such pictures to friends.
   5. Use strong passwords. Not a word in a dictionary. Not an easily typed sequence of numbers. Not something about you that can be guessed or looked up online.
   6. Don't reuse the same password for multiple places, especially not important ones. Make certain that even if one of your passwords gets cracked, your other passwords are still not easily guessed.
3. When something bad happens, don't panic.
   1. Calm yourself down first. Realize that it probably isn't as bad as it seems right away.
   2. Plan the steps to limit the damage before doing anything else. That will force you to be more focused.
   3. Make sure you are thorough. For example, if you have an account that is hacked, make sure you take all the steps to make the account secure, check your computer is secure, and then check to be certain your other accounts are safe also. If your the account broken into has a password, change it to a new one as part of the plan.
   4. Don't do other things until you have verified that you have solved the problem. If you have a hacked FaceBook account, don't check your bank until you've fixed that problem first and verified that you don't have a virus or keylogger on your computer. If you skip steps, you make spread the problem to other parts of your life. This is where making a calm plan can come in handy.
4. Stay aware.
   1. Watch for alerts as problems are spreading. There is often specific advice on things not to do as they are found.
   2. Read various sources on the issues. Get a variety of opinions and guidelines so you can make informed choices.
   3. Keep your protections up-to-date. Don't just download a virus tool and think the problem is solved. Get updated definitions regularly. See if there aren't other tools you should use. Also, change your passwords at least from time to time, even if you haven't been hacked that you know of.

Hopefully, the above list doesn't seem too long. There is a lot of good that can come from using the internet. It can make your life easier, richer, and more fulfilling. If you make the above into "good habits", they shouldn't take much time at all. Moreover, these good habits aren't just for using the internet. They are more "common sense" things that you should practice everywhere. While the internet has its own unique risks because it brings the whole world right to us, much of the most dangerous things were already in our life. Most of us have already learned to cope with them.

Foursquare: Don't Bury One's Head In The Sand

The opinions expressed here are purely my own and not those of Intel. However, what I write about is clearly influenced by my job and exposure to ideas at Intel.

As an introvert, many parts of social media aren't intuitively obvious. Foursquare is a pretty good example. My intuition immediately links it to PleaseRobMe.com. Thus, I find it hard to recommend for someone wanting to protect their privacy, safety, and security.

However, to ignore the changes in modern society is simply to be an ostrich and assume that ignoring something will make it go away. Yes, sometimes that works, but it isn't a sound strategy.

Moreover, people enjoy games and that adding fun to one's experience actually enhances one's life. This can be coupled with many a corporations desire to know more about you. A big part of social media is trading our privacy for some other benefit. One common way corporations attempt to extract that info is by involving you in games and contests.

Much of this blog is trying to help you avoid making that trade unintentionally, giving away your privacy or safety for something of dubious value. That is still a sound principle. Being aware that most internet and social activities are designed to extract information about you and repackage it for resale is important.

I (sadly at one level, but ultimately peacefully) gave up playing games on the internet almost ten years ago, because I realized that the information I was giving up and the risk I was putting myself in were not worth the value I was receiving from playing. This was particularly true for the online lotteries. Although the aphorism that you can't win if you don't play is true, in the end I determined that I probably couldn't win by playing either and was simply putting myself at risk for downloading malware.

The same holds true for me for a host of other online games. At one time in my life, I truly enjoyed the fantasy of role-playing games. I can even understand those who are willing to get dressed up in costume and go to conventions for their favorite escape. However, the risk for me of having my privacy invaded by participating keeps me far on the sideline.

Given this context, you can understand why I would be reluctant to recommend Foursquare to anyone. Using foursquare certain gives away information about you. I would certainly recommend anyone considering it to think carefully through what you are trading, for what you are gaining. You need to be clear that you are getting something back for that information you are giving away.

When will using foursquare put you at risk, and what will it put you at risk for?

After assessing that, what potential will you possibly gain from using foursquare.

At the same time, you need to consider those alternatives rationally and honestly and realize that by our very nature, we as humans are particularly poor estimators of risk and the trade-offs between risk and reward. As humans our tendency is to over-estimate risks that seems particularly detrimental and under-estimate ones that involve common-place events. Otherwise, we would never get on a chair as a substitute ladder to reach something just a little bit too far away and ending up falling--a surprisingly common error we all make.

In light of that, determine for yourself how much additional risk you are taking by joining foursquare. Are you broadcasting information that isn't readily available already? Can that information be used in some way to your detriment?

To make this concrete, let us consider a couple of specific examples based on the PleaseRobMe.com model.

1. You are a single 9-5 working person living in an apartment. In this case, it is probably obvious that you work all day and that your apartment is vacant during that time. Incremental risk from using foursquare to check in at your favorite restaurants, probably limited.


2. You work from home and thus stay at home almost all the time. In this case, tracking the times you are away might be significantly valuable. Especially, if long trips are involved. Incremental risk from using foursquare to check in at Disney, much higher.

The key distinction is whether the fact that you are away is unusual. That makes it more valuable.

However, if one really wanted to do the analysis, one would need some numbers to work with. To my knowledge, no one has yet compiled any comparative statistics on the number of people whose homes were robbed who were using foursquare versus non-users. While I would expect some marginal incremental risk, I would expect that the number would be less significant than the location of one's house. Some neighborhoods just get robbed more than others. I would be willing to bet that the choice of neighborhood was a more significant variable than foursquare usage in home robbery rates.

Therein lies the point. Don't skip using foursquare simply because the fear of a home robbery is so dreadful that you over magnify its probability. Skip using it only if the benefits are dubious to you. If you find something interesting that you might be able to benefit from by using foursquare, the risk from using it is probably not that high, so go ahead and indulge.

For example, if you attend a conference, like IDF, where Intel is involved and you have a foursquare account, there is a good chance that there will be contests and giveaways for those who check-in. By the way when you do so, read the fine print first. Intel has a very strict policy about how it can use the information it gathers, so we will have to tell you what your checking in means and how we might use that information in the future. That's a standard everyone should be held to.

When Will We Wake Up?

As always, these thoughts and opinions are mine alone and not official pronouncements, policies, or statements from Intel. Note that the examples used in this posting are not unique and not the most extreme cases. They are simply ones that have become lodged in my mind.

This is the other half of the issue I just wrote about in this post, where I addressed the need for people to be conscious of how choosing convenience might be lowering their security and privacy.

Here I'd like to ask the question from the implementers point of view. In particular, we have long known that some systems are easy to crack. I am going to list some easy flaws of convenience and ask why haven't we learned to avoid them.

1. Obvious default passwords and insecure default settings: In high school my friends and I were taught on a large computer and given the instruction manual for the operating system, compilers, and so forth. In those books were the instructions on how to run the system that assigned accounts and passwords and the examples used names like "password" for the system accounts. Gleefully, we tried those passwords, and no one had ever changed them. They were the same as in the book. Since, no one had never heard of cracking accounts back them, those administrators could be forgiven.
   
   However, in the 2000's when I bought a router, leaving the name as "linksys" and the password as "administrator" would have been tragically foolish. Still the recommended installation procedure did not change those names and in fact connected one to the internet as a required early part of the process. I changed mine, of course, as soon as I had the router to the point where I could do so. However, I'm sure there are many extremely insecure wireless routers out there. Everywhere I go, I find linksys routers, my laptop wants to connect to. If routers become a major pool of malware infections, it will not surprise me.
   
   Much more security aware is the way that the F-Secure SSH client automatically builds a random number when you install and first use it. The security is turned on right from the beginning and there is no worry that someone will use an insecure password and none for the person to remember.
   
   
2. Back doors and escapes with unlimited power: Many people have spent a lot of time figuring out how to prevent the browser from down-loading .exe files and running them. However, this whole time, one could down-load a .pdf and in it have commands that would down-load the files we were trying to prevent. There are some security provisions built-in, but they are circumventable by social engineering. Sadly, this is not a flaw in some .pdf implementation, but a designed part of the spec.
   
   Building in an escape hatch or back door is an easy way to circumvent the limitations of a product. However, when that escape allows arbitrary code execution, you have abdicated control to those who would abuse your application.
   
   
3. Installations that require too much privilege: Although this is slowly getting better, far too many applications still get installed with too much access to the system. This is definitely a convenience issue. It is time consuming to get the minimum access an application really needs, especially if you don't know whether someone else sharing the computer might need another feature and more privileges. Users will almost always opt for installing all the features in the most unrestricted fashion when given the choice. That is much more "convenient" than picking a narrow set of features and restricting them and then finding out later one needs more. Especially, in those cases where expanding the privileges might require stopping the application mid-task (or worse rebooting the entire system). The user will always opt for the convenient choice.
   
   
4. Systems that require restarting to reset: Even worse that restarting the application to expand its privileges are those applications that have to be restarted on a regular basis. It makes sense that a system that is holding onto some personal information (e.g. the browser session visiting your bank or the system that allows you to send emails) wants to time-out so that one doesn't accidentally walk away leaving that information unprotected. However, other applications fail after running for a while for no obvious reason. My assumption that this is due to careless resource management and that some resource is eventually exhausted and the application falls over or simply hangs. However, whatever the cause, this practice has tended to train users to expect to re-login to various applications on a regular basis. Thus users are much more cavalier about entering their security information than they should be.
   
   
5. Loading obscure software to build unimportant candy: A pretty user interface is appealing, but many applications put too much emphasis on sizzle rather than functionality. A common symptom of this issue is the web sites that seemed to require a new browser extension for each site. Again, this has improved somewhat, but still in the process, many users were "trained" to download all sorts of software to make their web applications work, and the malware writers took full advantage of this loading first malware via such links and more recently fake malware scanners that were actually malware
   
   Similar to this problem was the password manager I wanted to download that required loading a completely new-to-me language (groovy) into my browser to run it. Here was a system that I was using to attempt to increase my security, but which required me to perform a potentially unsafe action in able to do so. While password security isn't exactly candy, it isn't core functionality. It certainly isn't obvious why one would need to download a new language onto one's computer to get the browser to export passwords.

These are just some examples of lessons as developers we should have learned where we have traded user security for user convenience. Admitted, convenience is a nice thing. However, we have to be more protective of those who are depending upon us. We made the mess that allows malware to flourish. We could do our part to clean it up.

Convenience Versus Security

As always, these thoughts and opinions are mine alone and not official pronouncements, policies, or statements from Intel.

For a long time, we geeks who built the internet (and I can't take any significant credit for that) have lived in a fairy tale sandcastle in the sky. We believed in the essential goodness of people and thereby developed our hardware and software with our main focus on what what convenient and not what was secure. We also made that worse by concentrating on features rather than stability and lack of bugs.

In the security field, the bugs have gotten a fair amount of attention. People are very aware of the buffer overruns and other ways of breaking software like browsers to introduce malware into your computer or your network.

However, the convenience factor needs equal attention. Some of those lessons have been learned. When I administered my own linux server back in 1995, I learned the hard way (i.e. by being cracked and having a rootkit installed) about the importance of closing up and securing ports. Having an open telnet port was convenient for logging into my server not only for me, but for all the miscreants who thought access and using my computer might be fun or profitable.

Still, this lesson needs to be repeated over-and-over again. The sites the are open to the attacks in this video have not properly secured their assets. If you leave your property open and unlocked, someone will eventually "borrow" it or play a prank on you through it or do something else you don't want and hadn't intended. Especially, if the info on how to do so is on popular sites like bitrebels.

So, when you buy that new webcam or baby-monitor think before you expose it to the internet. The out-of-the-box configuration was probably designed by geeks who wanted to make it convenient for you to use, not to keep your private information private. That doesn't mean you can't make the device secure, just that you will need to do extra work to do so. Work that might not be detailed in the instruction book that comes with the device.

Although we geeks who design and build such devices emphasize convenience and features as that's what we've trained ourselves to do and what the market has traditionally rewarded, if consumers want safer more secure devices, we will make them. Companies are already realizing the need for that. The culture is ripe to grow and spread. Consumers just have to make informed choices that demonstrate that preference.

If you are an implementer and want to ponder some of the ways, we have helped users trade security for convenience, try reading this.

Viruses on Linux

As always, I want to reinforce that these are my personal opinions and not the stated policies, recommendations, or positions of Intel.

It has been discovered that an Open Source application that runs on Linux has had some of its repositories cracked and some of them were serving a malware infected version, as reported here and here. Now, while some has reacted like this reporting is an attempt at spreading FUD (fear, uncertainty, and doubt) among potential Linux users, it is simply one more incident showing that there is no security silver bullet.

Simply choosing a more secure OS is not sufficient to protect against all forms of attacks. Complacency will always leave one vulnerable. Reading your email on a Linux box will not prevent spam or phishing emails from entering your mailbox. If you click on an infected .pdf file, you probably won't get infected because the malware was probably customized for Windows. However, that doesn't mean someone couldn't infect a .pdf file with a Linux virus. Someday, someone will. Moreover, if the attack wasn't attempting to infect your system, but simply to get you to install a tracking cookie in your browser, Linux is no protection at all. Running Linux doesn't magically make one immune to social engineering.

This isn't a criticism of Linux. Linux out-of-the-box comes generally configured to be more secure than typical Windows desktop systems do. A good example is that on Linux systems root (superuser) access is done via a separate account rather than one's normal account. Many other features of Linux are specifically designed to improve security also.

However, Linux systems also often have more to configure and more to exploit. A Linux system will often run ssh and ftp servers and not just clients. Running nfs or samba servers on Linux is also very common. You might even run http or sql servers. Server systems require more complex and careful administration, because servers were designed to share their resources. Sharing requires more attention. Sharing opens avenues for attack.

If you button your Linux system up, it can be secure. However, if you run it with the telnet, ftp, ssh, and nfs ports all open to the world and without any security on them, you will eventually find more viruses and rootkits on your system than you can imagine. Believe me. I've been there. In fact, to my knowledge, the only system I've ever run that has been cracked was a Linux box. It was in part due to configuring the system to be more convenient rather than more secure.

I think that is appropriately instructive that the word rootkit derives from the name of the administrative account on Unix derivative systems. The first worm was also designed to attack Unix (not Windows) systems. Likewise, Ken Thompson gave as his Turing Award lecture how to embed a Trojan Horse in the C compiler, which shows simply compiling from source is also not a panacea either.

So, enjoy the security Linux is able to give you. Open Source is a good thing. There is ample reason why many cryptographers prefer trusting an open source algorithm. However, don't assume running Linux without appropriately configuring it makes you magically immune to attack. Life isn't quite that simple. Security still requires work. Always will.

Fooling Turing Tests for Chats with Bots

As always, I want to be upfront that the opinions in this posting are only mine and not official statements made by Intel.

Way back in college, I came across the program called Eliza. If you haven't ever encountered it, you simply type messages to it and it types messages back, just like a person on a chat-site. The program is realistic enough that people have been known to treat it as a real person. Therein lies an interesting question. How do you tell the "person" you are talking to is a real person and not a computer? That question is so important, it is called the "Turing Test".

The Turing Test basically says a judge is allowed to talk (as one does in a chat-site by typing messages back-and-forth) to two contestants, one of which is human and the other a computer. The computer loses if is is properly identified as a computer, but if the computer is misidentified as a human it wins.

Well, in our world, there are lots of variations on chat sites, where we type messages to people rather than talk to them. Some of them are social like Facebook and Twitter. Have you met people on one of those sites that you haven't yet met in real life? Are you sure they are for real? They aren't always real. There are "bots" on these sites whose sole job is to impersonate a person and in doing so get unsuspecting users to click on malware links.

We see the result of these from time-to-time, when there are outbreaks of tainted links circulating. When that happens, people post warnings not to click on links attached to messages like "Is this really you in this picture?" or "ha, ha, this is a funny one".

Fortunately, most of these attacks are simple. The bots are not very sophisticated impersonators. Many of us have learned not to click on links from people we don't already trust and even from them only links that are in line with info we already trust from them. We apply our personal versions of the Turing Test relatively efficiently. This is partially because we are expecting these bots.

However, let's imagine someone who wants to cheat and win a Turing Test. Suppose someone wanted to insert a "computer" into the contest, but have it be real enough to fool people. One simple way of cheating is to have the "computer" be a real person. There was a famous chess-playing computer built just that way called "the Turk". Inside this computer there was actually a small chess playing person moving the levers.

As discussed here in Dark Reading or here in their PDF paper, recently some researchers figured out a way to do a variation on this cheat in a chat situation. Instead of hiding a human in the computer. They made the computer tie two humans together. That way both humans were talking to other humans, but both thought they were talking to the person who the computer was pretending to be. On both sides of the chat, a human was moving the levers. However, on neither side was the person talking to whom they thought they were. Both chatter thought they were talking to the fake ID created for the bot, rather than the real person to whom the bot forwarded their conversation. The bot is executing a classic man-in-the-middle attack.

However, even though the bot was primarily forwarding the conversations between two humans, it was still a bot, and it was able to deliver malicious payloads, either send a link which could have been to malware (but wasn't since this was a research project) or ask a phishing question (which also was a benign surrogate question for the research purposes). The bot was able to get high response rates to both forms of attacks, because the attack was in the context of an otherwise human-to-human conversation, and thus was camouflaged. The exact details of the attacks and how they were inserted and success measured are in the PDF paper or in this summary.

The effectiveness of these attacks while worrisome are dwarfed by a potential highlighted but not explored in the paper. A similar man-in-the-middle attack could be executed on online banking help chat sessions. If a bot is inserted in a banking help conversation, the bot could potentially be similarly effective at phishing details from the users. The users would be expecting to be asked questions to validate them to the system, extra questions about personal details would not be surprising. Similarly, the bot could insert questions to the help side that might help the attacker move money. Again, the help agent would not be surprised at questions on how to do various actions, as the user was calling with troubles and the helper is trained to ask "is there anything else I can assist you with?"

These results should be particularly scary for people worried about phishing attacks. The technology involved is not sophisticated. The idea while creative was not far fetched and had been predicted.

I am a prophet!!!! I eluded to this at #phneutral http://bit.ly/9BgN6L via @intel_chris and @darkreadingless than a minute ago via TweetDeckDave Marcus
DaveMarcus

That means there are probably malware writers out there who are already trying to figure out how to incorporate this attack into their repertoire. The key thing about this paper is this kind of attack is no longer just an idea. There is a real proof of concept (PoC) implementation. It will not be hard for others to replicate this work.

Is an iPad a Non-Programmable Computer?

As always, before I write anything, I need to add a disclaimer. I work for Intel and tweet under @intel_chris. However, these tweets and blog entries are simply my own opinions and not the official pronouncements of Intel in any way.

Before we look at that question, we need to define what it means. There are devices that perform computations that are not programmable. However, that isn't what I'm asking about, although it is close.

So, Sherman set the way-back machine to 1890, the time of Herman Hollerith and the census. It was a big task collating the answers from all around the country and it was done by using machines which sorted the punched cards into various slots.

If you look at old movies, you can sometimes see some of these machines. (More information and pictures at technikum29.) Early on in my career, I even used them.

Now, to perform their function these machines could be programmed, by the use of levers (in the case of the ones I used) or wires that could be connected or disconnects (in others). However, the key point is that the cards themselves could NOT affect the program, only the switches or wires could. Thus, although the machines could be programmed, from the point of view of the cards, they could not.

Modern computers keep the program in the same memory as the data. This is called the Von Neumann architecture. This architecture allows the program to be changed by sending data to the computer. It is an important advancement in what computers can do. However, it also allows computers to become infected with viruses. When a modern programmer wants a computer, this is what he wants, something he can send data to in order to reprogram. This is the kind of computer your PC or MAC is.

However, there is a "computer" in my house that I never reprogram. It's my TiVo. Inside the TiVo there is a computer that can be reprogrammed, and some people "hack" their TiVo's and change that program. However, I never do. I simply let the program run and do its thing.

Now, for those of you wondering, I do change the shows I watch and various things and that might seem like programming it. However, it isn't. It is configuring it. It's like the punch cards. Changing the shows I watch never changes the way the unit functions. Most importantly, changing the shows cannot introduce a virus into the TiVo. This is a non-programmable computer.

Of course, as I noted above the computer can be programmed. In fact, TiVo (the company) does so every once in a while. However, I never program it. More importantly, I have never heard of any virus writer ever sending malware to a TiVo.

The question worth asking is whether an iPad is more like a PC or MAC or more like a TiVo? If you don't Jailbreak your iPad (or your iPhone) I would argue that it is more like a TiVo. It provides certain services. Moreover, once you have a set of apps on your iPad, you don't reprogram it, until you add another app. Using an application on an iPad, even surfing the web, does not reprogram your iPad.

Compare this to surfing the web on a more normal computer. These computers are reprogrammed regularly. In fact, for the longest time, whenever you went to a new web site, there was a reasonable anticipation that the web site was going to use some new rendering software (e.g. a new version of flash) and would link you to a site to download it. That is one of the hooks many virus writers used to get you to load their malware onto your computer. You wanted to see Anna Kournikova and you were willing to reprogram your computer to do so.

On the iPad, one doesn't do that. One has a set of applications and they do their jobs. Moreover, Apple specifically vets all of those applications. At this level, an iPad has a virus-proof OS. If you never Jailbreak your phone, and you never download any apps that aren't approved, you should never get a virus.

Now, before everyone goes out and buys an iPad and says @intel_chris said it would protect them from viruses, let me add two caveats.

1. The fact that one programs an iPad at all, and more importantly, the fact that down deep within an iPad is a computer that can be programmed, means that it is possible to create iPad viruses. Someday, someone will do so. The more popular iPads become, the sooner that will happen. Moreover, things like Javascript embedded in web pages, are small programs, which means at some level your iPad gets reprogrammed a little by almost every web page it visits, but these programs are not supposed to persist after the web page is no longer being viewed.
   
   
2. Not all malware requires a virus be installed on your computer. In fact, spam and phishing emails are often not viruses at all. They simply get you to do something you shouldn't, e.g. order medication from a place you have never heard of, or send your banking information to a site that isn't your bank. In addition, even properly working web browsers have techniques (e.g. Javascript as mentioned above) that allow malware writers to put up deceptive web pages and surreptitiously collect information from you.
   

However, despite that I think that the iPad being a non-programmable computer is actually a good thing. For many jobs, we want something that just works and we really don't care how it works. For me, my TiVo is the perfect example of that. The fact that it is programmable, only rarely tempts me to do so. (Yes, I'm still a geek, so it does tempt me from time-to-time, but I can always find better more interesting things to program than it.) An iPad looks like another device that could act that way. Would I really want to program it, or just use it? I think for most people, just using it is the obvious answer.

If just using it has a side-effect of making us even just a little safer, that is a wonderful side benefit.

Is FaceBook A Utility

Disclaimer: These opinions are strictly my own. They do not represent the views of Intel.

Recently, Danah Boyd, @zephoria, posted an excellent article, "Facebook is a utility; utilities get regulated". If you haven't read it, you should (including the comments) and form your own opinion.

To me the real question and I believe Danah captured it well is what is the commodity the Facebook is selling. What does Facebook have a monopoly on? The answer to that question is the connectivity to its network and the private information that people have placed on it. It is that private information people want to protect. It is that connectivity they cannot afford to lose.

I will not argue with the other people commenting that Google is not as significant a near-monopoly as Facebook, nor that Facebook won't eventually be replaced by another network. In fact, I do not use Facebook that much. I prefer a different near-monopoly Twitter for most of my connections. I haven't also placed signficant private information on it at all.

However, Facebook has one attribute that some of its competitors do not, access to some of our private information. That is the information that Facebook wants to monetize. That is what has us upset. This is what people will clamor to regulate.

People do not care so much whether Facebook is a utility or not, except as it potentially exposes that private information without our consent to a much larger audience than we intended. If you read the recent polls on youth online behavior and attitudes, you will see that many of them assume that such protections against that kind of sharing are already in place. Moreover, the Facebook users who have been using the site for years also have that expectation, because that was previously the expectation set by the company.

The convenience of Facebook for reaching one's friends is hard to deny, although it does not seem to include those whom I would like to reach. In fact, the true "utility" of Facebook, what I would dearly love to have, is the universal email-address finder. The one which would allow me to find email addresses of long lost friends, and not just their home addresses and property value which I can find through scary services like Intelius. The hope that Facebook holds out is the hope of reconnection and the hope of staying connected.

Facebook is seeking to trade that for the price of our personal privacy. A price it hopes that others value more than we do. However, it has done that through what appears to many to be a bait-and-switch operation. That is what has people upset. It is not the bargain they signed up for. It is not what they were promised.

And, it is that private information that distinguishes Facebook from Google or Twitter for most people. Neither of those sites has ever asked to share information that I wouldn't naturally consider public. However, if I had a protected account on Twitter, where my tweets were construed as private I would be just as upset about having them monetized and potentially exposed. Similarly, the woman whose email name was shared to her abusive ex by Google when she joined Buzz had similar (and more dramatic) cause for upset. To whom we connect and who we are is private information.

Holding of private information is in some sense a sacred trust. It is the real reason why these companies are likely to get regulated, not their ubiquity.

Phishers are Here on Twitter

As always, I will start this note reminding you that while I work for Intel on security features on some future Intel chips, I don't speak for Intel on security matters and what I write about is purely my own opinions.

Perhaps it is irony. Maybe it is karma. However, after retweeting that twitter links were safer than google, I got a tweet with a phishing link from a user called @FasterComputerZ.

It looked innocent enough. It came as an @ message from someone who looked like one of the many security people who follow me and whom I follow. Sure, it was a new follower, but I get new followers every week. It also looked a little bit selling oriented, but that isn't completely suspicious by itself either. This wouldn't be the first person that was trying to make money and hoped to connect with twitter to aid that.

It did include a link to a web page. Since, my link expander didn't show any problems, I foolishly followed it. When I got there I saw ads for anti-spyware programs I had never heard of before. More importantly some of them had subtle grammatical errors. This increased my suspicions.

Therefore, I asked my good friend @teksquisite to look into the site. Sadly, it turned out to be a phishing site. Of course, I had already visited the site. I've since run scans on my computer and they've found and fixed some problems. Now, they may have come from elsewhere, but given that the site contained phishing scams, it is suspect.

Could I have been more suspicious in the first place? Yes. However, not everyone has access to the security resources that I have. So, unless you want to live like a hermit and never click another link, you need to realize that someday you will probably visit an infected site.

Keeping your anti-virus and anti-spyware up-to-date should help protect you.

Being extra cautious when things seem suspect with also help. In particular, your security programs probably have more extensive scans that you can run, like mine did. If you think you may have visited an infected site, run those extra scans.

Also, while you aren't sure things are ok, don't expose yourself (and others) to more risk. Don't visit web sites from your suspect computer. If you think you got the infection via twitter, facebook, myspace, or some other social media site. If you can, go to another computer and change the relevant password(s). If you can't get to a computer that you know is uninfected, wait until you have disinfected your computer before changing the passwords.

Finally, if you want to be particularly cautious, you might choose to segregate your life into different compartments. Keep one computer for doing important and private things like banking. Use a different computer for social media and web surfing. That way, if your surfing computer gets infected, your banking and private information is not at risk. I sleep better at night knowing that my banking information is not on this computer where I twitter.

Another form of segregation you can do is to use different strong passwords (that aren't related) for the various things you access. That way, if somehow one of your passwords gets stolen, it doesn't make guessing you other passwords easier.

I've Been Hacked

There comes a time in every security worker's life, that they get hacked. In fact, it usually happens more than once.

Now, for the necessary disclaimer. I work on security for Intel, not securing Intel, but developing devices that may someday go into chips that Intel sells to make you more secure. This blog, however, is only my own viewpoints and experiences, and is in no way an official Intel declaration, recommendation, or pronouncement. It's just me getting up on my soapbox and talking about what interests me, and what I've learned about being secure in a very open world.

Sometimes, like around April 1st, it happens because one of your co-workers decides that they want to amuse you. I got some very clever emacs macros 1 year, that changed the way the screen looked to put the status bar on the other side. I actually decided I liked emacs better that way and kept them there.

Other times, one gets hacked because one has tightened the security of something enough and someone actually does break in. I used to have a very nice Unix system for the software company I own, but which I had to administrate for myself.. I left that system too open and I got root-kitted. After that, I bought a nice firewall, and tightened up the permissions on the systems ports and was safe until I retired that machine.

Well, given the rash of facebook and twitter attacks going on last fall, I figured I was about due for another learning experience. It was never really clear what perpetrated the attacks, although the koobface virus and some suspicious IQ test links sent via DM were the top suspects. However, we were never certain that the problem was resolved and that the threat had dissipated. In fact, it is quite likely still a threat, just not an active one.

So, when I turned on my tweetdeck session and saw the note that I had tagged @barackobama using this web based twitter service, I feared the worst. Here is a wonderful twitter service, that I had been using and now my account there had been hacked. Moreover, since the account is based upon my twitter credentials, those had probably been hacked too.

Remembering the preceding viruses, I immediately tweeted out that my id had been hacked and not to follow any links I had sent. I then went about turning things off.

1. I closed all windows except those I needed to turn things off.
2. I revoked the service's access to my twitter account from a machine where I hadn't been running the service.
3. I changed my twitter password.
4. I closed my last twitter session and went to a machine where I hadn't been running it and logged in and them immediately changed the password again.
5. I then felt secure enough to turn twitter back on.

By that time, the problem had been tracked down. It wasn't a virus that had hacked me. I was actually reporting a problem to the folks at the service and they had logged into my account there to check out the problem, but had forgotten to log out and the practical joke had been played there.

And, there lies the real moral of this story. In the end, most of our trust has to be in people. It was a person who forgot to log out of my account. It was a person who saw that as an opportunity to play a joke. All of the characters in this story were people. That is true in most security incidents. It usually isn't some very clever program that causes a security breach. It is usually some persons action, logging into a web site that one shouldn't have. Posting their vacation itinerary on their facebook wall. Choosing 123456 as their password.

Fortunately, this incident was more illustrative than dangerous. Plus, to live successfully, one must trust some people. Therefore, in the end, I decided I still trust the folks at the service. Although, I did ask them to read this entry, so that they can think about how to be more careful with other people's data.

However, when one encounters what looks like a hack attempt, one cannot be too careful. Taking immediate action to prevent the problem from getting worse was the prudent thing to do. I'm happy that the incident appeared to be more in my head than reality, but I'm still glad I didn't let it get out-of-hand, and would have been more so had I really been hacked by someone malicious.

Epilog

After writing this description, I had some additional exchanges with the fine folks at the service who explained what actually happened as opposed to what I perceived, I include some of that here:

Fair enough, but you have to know that I wasn't playing any kind of "joke" on you ... I was multi-tasking and trying very hard to help a valued user. And NOBODY else had access to your account --- the @barakobama "tag" was just the next thing I did in our service and I failed to notice that I was spoofed in as you via our system.

I readily admit the mistake and the tone of your post is very fair so I have no qualm.

I have not, however, figured out the issue you're having ... and I have to "spoof" your account to do so. Just as an FYI, I don't have ANY ACCESS to your Twitter account. We use Twitter to authenticate you but the resulting cookies are written to your computer (same as Twitter) and NEVER save that information on our end.

We know some applications do keep credentials and we see this as the type of grave threat you describe. And I personally only allow two applications access to my Twitter account (Our service being one.)

Anyway, when I diagnose your RT issue I will be more cautious, I promise.

Thanks for sharing and for being as generous as possible with your written commentary. We hope to keep you as a regular user, and we hope you continue to find value in our service.