If you know me at all, you will know that I have strong opinions on some things. If you don't know me, you now know that I have strong opinions on certain things. Now that everybody is caught up, let's all sit back and enjoy me being wrong-ish. I had a post earlier, which really is based on the fact that access to the Internet is a privilege, that some people abuse. Well now the United Nations has declared it a human right. My argument falls flat on it's face. I'm a big boy and I am willing to admit that in light of this, those arguments no longer hold water. Things change, people's ideas are made to be wrong, that's life.
Also, just a minor side-note: read this article!
Showing posts with label google. Show all posts
Showing posts with label google. Show all posts
Sunday, 12 June 2011
Sunday, 27 March 2011
Location, Location, Location! What you don't know that they know!
Alrighty then folks, I have been away for about a month. Between my holiday, work and trying to write another post which I hope to publish some time soon, you have seen zero in terms of output from me. This is me correcting that. So, as I was browsing through the magical interwebz, I happened upon this article. This set of all kinds of crazy alarm bells in my mind. So, let's look at this issue in a bit more detail.
Historically, your mobile provided has always known where you are to some extent. With GSM (I believe there is a difference with CDMA, but I am not to familiar with it, so I will skip it) the service would know what the nearest base station to you was. With this information, they would that you were in a certain area. The reason they need to know this is so that when you make a phone call, they know which base station to forward the authentication information to.
One little point to make here is that one can tell approximately how far you are from a base station based on signal strength. If you can find out the distance from several base stations, you can use a method called multilateration to calculate an more accurate location. The more distances you know, the more accurate the location is. This is how location-based services, such as Google Maps, work on a handset with no GPS.
Now, it would be very very very easy for an service provider to obtain the location of any customer and store it, but it may be ILLEGAL!!! Under the European Data Protection Directive (and analogous legislation in other countries) no company may collect any personal data about you without your explicit consent. Now we need to clear up two points (in the simplest case):
1) Is your location personal data
2) Did the company have your consent
So, let's start with point 1. The defintion of personal data is as follows in Article 1 Clause 2 Sub-Clause a:
Historically, your mobile provided has always known where you are to some extent. With GSM (I believe there is a difference with CDMA, but I am not to familiar with it, so I will skip it) the service would know what the nearest base station to you was. With this information, they would that you were in a certain area. The reason they need to know this is so that when you make a phone call, they know which base station to forward the authentication information to.
One little point to make here is that one can tell approximately how far you are from a base station based on signal strength. If you can find out the distance from several base stations, you can use a method called multilateration to calculate an more accurate location. The more distances you know, the more accurate the location is. This is how location-based services, such as Google Maps, work on a handset with no GPS.
Now, it would be very very very easy for an service provider to obtain the location of any customer and store it, but it may be ILLEGAL!!! Under the European Data Protection Directive (and analogous legislation in other countries) no company may collect any personal data about you without your explicit consent. Now we need to clear up two points (in the simplest case):
1) Is your location personal data
2) Did the company have your consent
So, let's start with point 1. The defintion of personal data is as follows in Article 1 Clause 2 Sub-Clause a:
'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
I think we can safely say that a person's location and their movements would definitely qualify. So that's one point out of the way.
Next, we need to know if this information was collected legally. I'm going to go out on a limb and say probably. Most companies have you agree to a Terms of Service, which nobody ever reads. This is because it tends to be dozens of pages written in legal parlance. It's enough to make any sane non-lawyer cry tears of sheer anguish. We all sign our consent to it having read the summary and hope we haven't signed away one of our kidneys.
In this case, it's not really the end of the world if our cellphone provider knows where we are. The problem arises when they decide to share that data. In the Terms of Service it may say that they can share this information with certain 3rd parties for any reason. This means that marketing companies could potentially track your every move and learn a lot about your preferences. This could be a problem.
This is an example of why privacy experts complain bitterly about the loss of privacy in the digital age. And they have every right to, with things like this, less and less information is becoming private. However, their constant and sometimes annoyingly repetitive rants tend to fall on deaf ears. Unfortunately, some people release this information themselves using applications such as Foursquare. It's a classic case of taking a horse to the river and the horse drowning itself scenario.
Although despite this, people such as Malte Spitz (link is in German) still have concerns about the privacy of their data. I would not recommend that anybody try and get their hands on what locational data they have, as it would probably not go down well. According to the article it took 6 months of legal wrangling for Herr Spitz to get this data. It would be at least as for you.
Now to sum up I would say "Big Brother is watching you!" but that is trite and cliché. And frankly a tad more alarmist than I would like to be at dark-and-scary-o'clock in the morning. So, I will go with the slightly milder "Be careful what you share on the Internet!"
Sunday, 6 June 2010
Really, Google? Really?
So it has recently come to light that Google will, according to this article, phase out Microsoft Windows in favour of Mac OS-X or Linux on the company machines. They are claiming that this is a security measure, citing the attacks on Google's Chinese operations recently. At this point in time I really have to wonder, what in the name of the seven deep dark pits of Hell are you not thinking Google? you could not be more wrong if you tried (yes, this annoys me so greatly my grammar is out the window.)
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
- Windows
- IE6
- Buffer overflow attack
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments