Weekly Edition
Return to the Security page
| |||||||||||||
Quotes of the week
I’ve learned that there is a “website intelligence” network that
tracks form submissions across their customer network. So, if a
visitors fills out a form on Site A with their name and email, Site
B knows their name and email too as soon as they land on the site.
— Darren
Nix
Crucially, vulnerability information has a higher market value if
it is withheld from the maker of the vulnerable product. If the
maker finds out, they might close the hole and render the
information worthless. So the market in vulnerabilities rewards
researchers for making sure that the problems they discover are not
fixed–exactly the opposite of the traditional view in the field.
— Ed Felten
Policymakers should be taking a serious look at this market and thinking about its implications. Do we want to foster an atmosphere where researchers turn away from disclosure, and vulnerability information is withheld from those who can fix problems? Do we want to increase incentives for finding vulnerabilities that won’t be fixed? Do we think we can keep this market from connecting bad guys with the information they want to exploit?
My whole life is on Google. My money, my history, my photos, my
memories, my books, my identity, my relationships. Even a simple
movement or administrative access requires my Google account.
— Lionel DricotAnd, starting tonight, trying to connect bring me a message: "Your account has been disabled." (Log in to post comments)
Quotes of the week Posted Dec 13, 2012 5:36 UTC (Thu) by mathstuf (subscriber, #69389) [Link]
The tracking thing makes me wish even more that I had started using the '+foo' feature[1] of email (gmail supports it) long ago. Basically only sign up for places where an conversation isn't likely to happen[2] by using a specific '+' suffix and auto-bin anything to that address not from that domain. Ideally, people would post and publicize that company A shares information with company B based on the addresses spam gets received on. A browser plugin could even display a bar which says "By giving your email to this site, you're implicitly sharing information with companies X, Y, and Z.".
As for selling vulnerabilities, wasn't there a QOTW about someone stating that they would never give exploit information to vendors and would instead rather sell it to the government? I don't know how willing lawmakers would be to disincentivize the vulnerability market(s?) if it meant the three-letter-agencies opposed it because it might force them to do their own "research" instead of just buying it.
As for the Google life…this makes me glad that my last personal stuff that I have nowhere other than Google is email contact (I use IMAP, so I'm not completely lost without access to gmail) and the groupings of contacts in Google+ (would just need to export as tags to my CardDAV server). Unfortunately, things still aren't complete here (no static IP, some services missing, etc.), so I'm stuck with what I'm using now :( . Well, I also would need to migrate to CyanogenMod too now that I think about it…
[1]Is there an actual name for this?
Quotes of the week Posted Dec 13, 2012 15:19 UTC (Thu) by nybble41 (subscriber, #55106) [Link]
> The tracking thing makes me wish even more that I had started using the '+foo' feature[1] of email (gmail supports it) long ago.
The problem with this approach is that the '+label' feature is well-known, and all someone has to do to circumvent it is remove everything in the user part of the e-mail address between '+' and '@'. I don't know whether anyone actually does this--the use of labels may not be widespread enough to justify the extra effort--but if I was an e-mail harvester I would probably strip the labels out of the addresses before spamming them.
You're basically relying on your opponent to self-identify, unless you insist on requiring incoming messages to have specific labels (passwords, in effect) from a hard-to-guess list, which isn't entirely practical, not least because not all sites accept the '+label' syntax in e-mail addresses.
Quotes of the week Posted Dec 13, 2012 15:33 UTC (Thu) by mathstuf (subscriber, #69389) [Link]
I don't know if there's much that can be done about harvesters. I'd be using it without a label on mailing lists anyways, so it'd always be out there. I'm more interested in companies which give out their users' information to other companies. Knowing what "third parties" means in Terms of Services and Privacy Policies would be a good thing to crowd source.
Quotes of the week Posted Dec 13, 2012 16:19 UTC (Thu) by nybble41 (subscriber, #55106) [Link]
> I'm more interested in companies which give out their users' information to other companies.
This is what I meant by "harvesting". It would be trivial to sanitize the e-mail addresses before handing them out to other companies.
Quotes of the week Posted Dec 13, 2012 16:27 UTC (Thu) by hummassa (subscriber, #307) [Link]
The simple solution is: use a +xxx@ address everywhere, do NOT accept email without it (at least by default).
Quotes of the week Posted Dec 13, 2012 17:40 UTC (Thu) by mathstuf (subscriber, #69389) [Link]
Since I'm looking to run my own server, if the labeling fails, I guess I could set up an "accounts" subdomain for email which does the same in a less direct way.
Using "+xxx@" everywhere gets hard in the face of (at least) GPG verification and address books unless you're absolutely vigilant in setting up Reply-To properly and have a signature file stating that the labeled address should be stored in address books and not the 'naked' address.
Quotes of the week Posted Dec 14, 2012 16:39 UTC (Fri) by gerv (subscriber, #3376) [Link]
If you own your own domain, you can also have a "-label" or a "$label" feature - just route all email to the domain to you by default (and blacklist any which start getting spam). How does a tracker know gerv-foo@example.com and gerv-bar@example.com are the same person?
Gerv
Quotes of the week Posted Dec 20, 2012 14:44 UTC (Thu) by kh (subscriber, #19413) [Link]
1) It is called address plussing, although I have also seen plus-addressing.
Vulnerabilities Posted Dec 13, 2012 9:59 UTC (Thu) by epa (subscriber, #39769) [Link]
It used to be that only 'bad guys' were interested in exploiting security bugs in software. But with the rise in locked-down devices, where security is more about preventing the owner of the device from doing what he wants, it is increasingly the legitimate owner of the computer who wants to exploit it. The 'bad guy' may well be the maker of the product, and it's better that they don't find out about vulnerabilities for as long as possible.
Vulnerabilities Posted Dec 14, 2012 10:55 UTC (Fri) by man_ls (subscriber, #15091) [Link] Excellent point, I nominate it for the QotW for next week.That manufacturers should wish to alienate their customers by locking them down is probably just a historical artifact, just like DRM on iTunes. I have said before that the downfall of HTC was how locked down their devices are. It is no coincidence that Samsung is the most open and sells more than any other vendor. By the way, the vendor wins nothing by locking down the phone; only if all of them did the same (and securely enough) would the usable life of phones go down and sales go up, and even then it is doubtful that people would spend even more in smartphones. Or just go to cheaper products, since they become a better deal. The consequences (should this theory of mine be true) are interesting. Apple's iPhone will adapt to an unlocked future or (most probably) perish. Windows Phone has doomed itself by requiring all terminals to be locked. Cyanogenmod and other aftermarket OS's will only increase in time. After a while community "distros" for Android might be as useful as on traditional desktops today. Finally, the dystopian future of pervasive locked down devices spying on their owners would be a memory of the past.
Vulnerabilities Posted Dec 14, 2012 11:05 UTC (Fri) by hummassa (subscriber, #307) [Link]
Amen, brother! I hope you are right, but IME this things tend to be cyclic, alternating periods of lockdown and suffocation of the open initiatives with periods of openness...
Quotes of the week Posted Dec 13, 2012 11:36 UTC (Thu) by lacos (subscriber, #70616) [Link]
> My whole life is on Google
Sorry for being an insensitive clod, but I guess nobody forced Lionel Dricot at gunpoint to put his entire life on Google. It is perfectly possible to live without a google account, to block google analytics, to auto-remove cookies, to default to a privacy-valuing search engine.
Refuse internet feudalism.
http://www.schneier.com/blog/archives/2012/12/feudal_sec....
Quotes of the week Posted Dec 13, 2012 12:01 UTC (Thu) by ploum (guest, #71620) [Link]
Maybe you should read the entire article, not the excerpt. This is a work of fiction.
Quotes of the week Posted Dec 13, 2012 13:58 UTC (Thu) by hummassa (subscriber, #307) [Link]
> This is a work of fiction.
I would like to understand where you took this from. Nothing in both articles can make one think that none of them is a work of fiction...
Quotes of the week Posted Dec 13, 2012 14:17 UTC (Thu) by micka (subscriber, #38720) [Link]
He is the author.
Quotes of the week Posted Dec 13, 2012 15:27 UTC (Thu) by jwakely (subscriber, #60262) [Link]
The fact it's set in the future was my first clue.
Quotes of the week Posted Dec 13, 2012 16:55 UTC (Thu) by hummassa (subscriber, #307) [Link]
THAT is what I earn for skimming. Too subtle for the old rhino-in-a-china-shop me. Sorry, nothing to see here, kids...
Quotes of the week Posted Dec 14, 2012 1:43 UTC (Fri) by apoelstra (subscriber, #75205) [Link]
> THAT is what I earn for skimming. Too subtle for the old rhino-in-a-china-shop me. Sorry, nothing to see here, kids...
You're not the only one who missed this -- I certainly did. The excerpt isn't the least bit out of place in the real world in 2012 (nor is, for that matter, the first quarter or so of the story).
And of course, that makes the whole fictional piece that much more fascinating and frightening..
Quotes of the week Posted Dec 14, 2012 4:48 UTC (Fri) by berryji (subscriber, #5206) [Link]
Very droll!
Quotes of the week Posted Dec 13, 2012 17:55 UTC (Thu) by drag (subscriber, #31333) [Link]
> Policymakers should be taking a serious look at this market and thinking about its implications. Do we want to foster an atmosphere where researchers turn away from disclosure, and vulnerability information is withheld from those who can fix problems? Do we want to increase incentives for finding vulnerabilities that won’t be fixed? Do we think we can keep this market from connecting bad guys with the information they want to exploit?
Seeing how the primary market mover for undisclosed vulnerabilities is the 'policymakers' themselves (aka governments) then it's extremely unlikely we will see any move to actually resolve the problem.
In fact if they are convinced to try to 'help' they are more then likely going to create rules which perpetuate the problem indefinitely and increase their ability to amass undisclosed vulnerabilities and raise costs to such a point that it excludes their competition. (ie. criminal organizations in addition to the people attempting to actually try to find and fix the problems.)
|
|||||||||||||