For anyone who's participated in forums, online games, or any other system where you can communicate with random strangers, you've probably encountered people who make you angry. Some are just people who you don't get along with legitimately, and some are "trolls"; people who toy with others for their amusement.
What makes people trolls is generally the anonymous nature of the Internet. Sadly, this is often a perceived anonymity only. Just yesterday, I found a post I didn't agree with and wanted to comment on it. Since the author had locked comments, I did a little web research and found her real name, school, e-mail address, and other sites she posted to. I was only looking for some means to contact her, but the information was fully filled out on these sites with no protection at all.
Imagine her shock to find out how easily she was found (and to be honest she called me quite a few names at first though we did have a good conversation after that).
Sadly, most people don't realize how difficult it is to be truly anonymous. The only things keeping you safe in many cases is that you've never given anyone enough reason to look you up. And now we get to the real story.
Online games can be tense and frustrating. For example, the first time I played an online competitive game, I was completely crushed in seconds and insulted repeatedly for my efforts. I chose to stick with offline gaming but others weather the storm and build their skills to the point they can keep up and even be good enough to win.
However, there are just going to be times that someone is better than you. That's frustrating enough, but when they're rude and insulting, it can be maddening. And for context, understand that the people who are the rudest are often younger males who believe they don't have to "pull any punches" since they don't have to face the consequences of their actions (an idea that was excellently portrayed in Disney's Pinocchio).
My point is, this kid was being an ass with abandon. What was his opponent going to do? Hunt him down and hurt him? Turns out the answer was yes.
And believe it or not, there's a lot of support for the attacker online. The sad fact is that there are still consequences for what we do, even if we're online. Similar to the adive every parent must give to their children of how posts last forever, we must also teach our kids not to draw undue agression. After all, how do you know whether the person you're "Teabagging" has the ability and desire to come after you in person?
If you're with Citibank, then YOU'RE WITH STUPID!
When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak and pathetic security. This has just become my new go-to example.
Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.
What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:
One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Even when this kind of problem was new over a decade ago, it seemed pretty dumb for major websites to be this sloppy. To think that a site run by such a large (and rich) company would make this kind of mistake would be laughable if it weren't so contemptible.
Citi, TJX wants to thank you from the bottom of their hearts for finally doing something so stupid that we can forget about their horrible mistake (at least just a little).
Tags: Account Security
, Continual Stupidity
, Utter Failure
awesome terrible. Apparently a UK immigration officer added his wife to the no-fly list when she was out of country effectively stranding her.
Based on the lack of details and the fact that she could have just taken a ferry not an airplane, this story doesn't really seem that likely, but it's making the rounds and the most important issue here is that the possibility of a single government official working alone abusing the system. While important security databases are poorly controlled, these kinds of abuses are possible.
Speaking of, I found a supposed copy of the no fly list online. Check it out!
, No-Fly List
There have been some high profile hacks of Sarah Palin and Grady Sizemore, but the issue here is less about Yahoo security and more about what you do with it.
Just make a Privacy Alias and use it for places that want your personal information, but don't really need it. Of course, if you use an encrypted file to store passwords, you don't have to make an alias at all. You can just store completely new made up challenge answers for each site.
Tags: Account Hijacking
, Challenge Questions
Ok so maybe not ONE click. But someone has put together a simple tool that you can use to take over the active sessions of anyone within wireless range of you. Hang out at the Starbucks free wi-fi and you'll be able to control the Facebook or other accounts of people nearby. It's an attack that was always simple to do for those who know how, but now any idiot can do it with a simple new interface.
Hopefully with their newest black eye (it never ends for Facebook does it?) they'll patch up this glaring hole.
By the way, they mention a few protections from this at the bottom of the article, but here's one more.
Tags: Account Security
Maybe you haven't heard of this yet, but a pilot working for ExpressJet refused to use the new nudie scanners installed at his airport. They offered to pat him down instead, but according to him:
"Pat down is misleading," Roberts explained. "They concentrate on the area between the upper thighs and torso, and they're not just patting people's arms and legs, they're grabbing and groping and prodding pretty aggressively."
I've written about this previously as it's been reported that refusing the scanner will get you a ''super-sized'' pat-down almost like a punishment and this experience seems to confirm that.
Peter Pietra, the head of privacy for the TSA is a reasonable guy who I met at a conference once. I asked him about this issue and he stated that the procedures seemed to work as intended. People have the right to opt out, but must be patted down in the process. I asked him about the "aggressive pat-down" and he said this:
There is no retaliatory pat-down for people who decline AIT. There used to be several types of pat-downs, but there are now only two (standard, and resolution). People who decline AIT or metal detector, for that matter, get the standard pat-down, but our standard pat-down changed about a month ago …. There was a flurry of media attention about a month ago on it, and some complaints following the news articles, but not a lot. My rough recollection is a dozen or fewer complaints specific to the new pat-down.
There is no retalitory pat-down…people who decline get a standard pat-down
Along with my previous talks with him, this is the second time he's assured me that there is no special treatment of people who refuse the scan. While I'm positive there are people who abuse their authority or make things tougher for people who they think make things tough for them (asserting rights which also makes their job harder), here's the thing:
There are two pat-downs and while I don't know what warrants the second, you should only get the first by refusing to be scanned. Therefore, if your pat down is more extensive than what you see old people with heart devices getting, it's time to complain and complain loudly (which is what I believe this pilot has done and good for him). Peter says he thinks there's no problem because he hasn't received many complaints. If you think you've been a victim of retaliation or excessive probing, make sure he hears about it.
Support for the Pilot
There's been a lot of support for him in the airline industry (among workers not officially). Here are some of the industry forums where they're talking about him:
I recently went through the airport and also refused the scanner. I was patted down, but the TSA employee was very clear and professional. At no point did I feel uncomfortable.
It's a big deal if someone overdoes it and they should be called out, but it really wasn't a problem for me.
However, I was once told that signs would be prominently posted showing people they could opt out of the scan, but I found none anywhere.
, Nudie Scanners
I always recommend having a Software Firewall on your computer, but the one catch is that you have to know what to do when you get an alert. It's not very hard once you've seen it once or twice, but to help you walk through it, I've made this firewall flowchart:
Just start at the green oval and answer the yes/no questions to trace your way through.
Tags: Computer Security
, Software Firewall
So it's not just Facebook that's full of holes and privacy issues. Twitter has been warned by the Federal Trade Commission for their "serious lapses in data security".
The FTC had originally accused the social media service of making private tweets and the login credentials of users easily available to "hackers" between January and May of 2009. During that time, someone was able to gain administrative access to Twitter's system (and therefore access to thousands of user accounts, passwords, direct messages, and more) simply by using password-guessing software. That user reset numerous user passwords, allowing others to access those accounts.
As is always the case, when not required to provide adequate security or privacy, most companies will do what they can get away with and no more. If there's no penalty for doing a bad job, don't be surprised when they don't.
An RFID tag hidden under a label
One of the many problems of RFID technology is that they can be hacked and used to spread viruses.
The device, which enables him to pass through security doors and activate his mobile phone, is a sophisticated version of ID chips used to tag pets.
In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems.
If other implanted chips had then connected to the system they too would have been corrupted, he said.
Mostly, this hasn't received a lot of attention to date because the computing power of RFID has historically been very low. But as the technology progresses, the consequences of not securing them properly becomes higher and higher.
Tags: RFID, Spychips
Sometimes when you set up an account with a company, they'll let you set a question and the answer. Then when you call in, the operator will read the question YOU WROTE and you get to provide the response. This has the potential to be highly amusing if done right:
Q: What the hell is your f***ing problem, sir?
A: This is completely inappropriate and I'd like to speak to your supervisor.
Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.
Q: Are you really who you say you are?
A: No, I am a Russian identity thief.
Check out a ton more here.
, Telephone Challenge Questions