bugfox blog

More and more people are saying that you should log out of Facebook as soon as you are done. If you stay logged in and go to another site with which Facebook has an information-sharing agreement, Facebook will tell the other site all sorts of things about you that you thought were private. (You can “opt out” of this, but the procedure may be too complicated for most mortals.)

But have you noticed that Facebook is the only site on the Web that requires you to log in, but does not give you a simple one-click “Log Out” link on each page? What you have to do is first click “Account”, then click “Logout”, which is much less obvious.

Also: Five Hidden Dangers of Facebook.

I can’t give proper credit to the author of this piece. He may be an expert on computer security, but he doesn’t seem to know much about how to set up a web site (there’s no link back to the home page.)

Nevertheless, The Six Dumbest Ideas in Computer Security is well worth reading if you have any interest in how to secure a computer or a network.

Microsoft has finally addressed the problem I described here and and released an official update to let you really disable AutoRun. (via The Register.)

Back in the early 1990s, when Microsoft was raring to conquer the world, and still thought that security was something that could be dealt with as an afterthought, they added two features to Windows that have caused endless grief: ActiveX controls and AutoRun. Both were intended to make things more convenient for developers. (ActiveX was also a blatent attempt to hijack the Internet by encouraging web developers to build sites that could only be accessed using Windows and Internet Explorer.)

ActiveX controls used to cause all sorts of security problems, but this issue has gradually faded away as web developers came to realize that they should never, ever use them, and end users learned to always click “No” on requests to install them (or better yet, just use FireFox or some other browser that doesn’t support them.)

AutoRun, which automatically runs a program whenever a removable disk is inserted in the drive, has persisted because it’s just so convenient for developers to be able to say “Just put the CD in the drive and follow the instructions on the screen.” Recently however a new wave of viruses spread though devices like USB keys and electronic picture frames has convinced many users that this feature is much too dangerous to allow on their machines.

However when they try to disable AutoRun they find that Microsoft has made it ridiculously difficult. There are various menu options to turn it off, but they don’t really work.

As a public service, here’s a link to Scott Dunn’s article that gives relatively simple instructions for really disabling AutoRun. (After doing this, when you want to install software from a CD-ROM you will need to open the disc in Explorer and run the setup program manually.)

Woody Leonhard’s description of the “Conficker” worm makes it clear why it is so dangerous to leave AutoRun even partially enabled.

In the Risks Digest Bruce Schneier discusses the flaws in the TSA’s system for checking photo IDs at airports, flaws that would allow any reasonably competent terrorist to walk onto an airplane, even if his name is on the “no fly” list and even without using a fake ID.

This might be considered an illustration of the general incompetence of the TSA, but it also illustrates the great difficulty of setting up a secure system that will foil a reasonably clever and determined attacker. It’s not something that the average political appointee or bureaucrat without special training is likely to be able to manage.

Elliotte Rusty Harold has just returned from China and posts this disturbing comment:

Reflecting back on my recent trip to Beijing…one of the most striking things was the contrast between personal, day-to-day freedom in Beijing and the United States (especially NYC/Los Angeles/Orange County). I’m not talking about political representation or freedom to read whatever I felt like, but just the simple ability to go whereever I felt like going without being hassled. To my surprise, by that measure Beijing came off way better than the United States does these days, and that doesn’t speak well for the U.S.
…
Somehow I thought a one-party, authoritarian state would be more oppressive than this. At least in the capital, Beijing compares favorably to major U.S. cities. To be honest, that doesn’t speak well for the U.S. If we can’t be less of a police state than a one-party, nominally Communist nation like China, then something has gone seriously wrong.

(Read the whole thing)

Back during the Cold War, right-wing types used to make a big distinction between “totalitarian states” (bad) and “authoritarian states” (not so bad.)

A totalitarian state (Russia, China or Nazi Germany) would try to monitor everything its citizens did and demanded constant declarations of effusive loyalty. An authoritarian state (Franco’s Spain) would generally leave people alone if they kept quiet and stayed out of politics.

By this definition China has clearly become an authoritarian state. But if America is becoming more of a police state than China (in terms of surveillance, etc.) then what does that make us?
(more…)

Declan McCullagh has a detailed analysis of FBI Director Robert Mueller’s recent Congressional testimony in which he asked for greatly expanded surveillance powers. Currently the FBI has the technical ability to monitor just about everything that goes over the Internet, but they need to get a warrant (or a secret National Security Letter) in order to do so.

Mueller wants to convince the Internet Service Providers to change they Terms of Service to force their customers to “consent” to having the FBI monitor everything they do without a warrant. If the ISPs refuse (as they probably would for fear of lawsuits) then he wants Congress to pass legislation requiring it.

He justifies this by invoking the usual suspects (terrorism and cyberattacks) but of course the surveillance would be quickly extended to cover lesser crimes like copyright violation. It is amusing to imagine the FBI locking up millions of file sharers, but probably they would just prosecute a small number of people to serve as examples.

SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”
…
If more people had a security mindset, services that compromise privacy wouldn’t have such a sizable market share — and Facebook would be totally different. Laptops wouldn’t be lost with millions of unencrypted Social Security numbers on them, and we’d all learn a lot fewer security lessons the hard way. The power grid would be more secure. Identity theft would go way down. Medical records would be more private. If people had the security mindset, they wouldn’t have tried to look at Britney Spears’ medical records, since they would have realized that they would be caught.

Bruce Schneier–Inside the Twisted Mind of the Security Professional (via)

This seems a little grim, but it would be a useful counterbalance to the general tendency to enthusiastly embrace any plausible-sounding proposal without thinking through the consequences.

Problem: the voting machines report numbers that don’t add up.

Attempted solution: local authorites commision an independent audit of the machines to determine the source of the problem.

Checkmate: the vendor prevents the audit by threatening to sue to protect its “Intellectual Property.”

Story on Ars Technica.

This is exactly why all voting machines should be required to use open source software throughout: to make sure that effective audits will always be possible. Of course no commercially available voting machines actually do this. As always the industry’s motto is “Trust us. Shut up. Just trust us.”

UPDATE: A judge orders the review to proceed, although the report won’t be available in time to do anything about it before the November elections.

GoDaddy’s continued willingness to shut down any site that draws complaints makes one thing clear: you should never register a domain with GoDaddy unless you are certain that your site will never offend anybody.

Who elected the registrars to serve as the all-powerful censors of the Internet?