Welcome!
If you have an account, please:
Log in

Man Hunts and Beats Teen for Mocking Him Online

Stalking
(Image is in the Public Domain)

For anyone who's participated in forums, online games, or any other system where you can communicate with random strangers, you've probably encountered people who make you angry. Some are just people who you don't get along with legitimately, and some are "trolls"; people who toy with others for their amusement.

What makes people trolls is generally the anonymous nature of the Internet. Sadly, this is often a perceived anonymity only. Just yesterday, I found a post I didn't agree with and wanted to comment on it. Since the author had locked comments, I did a little web research and found her real name, school, e-mail address, and other sites she posted to. I was only looking for some means to contact her, but the information was fully filled out on these sites with no protection at all.

Imagine her shock to find out how easily she was found (and to be honest she called me quite a few names at first though we did have a good conversation after that).

Sadly, most people don't realize how difficult it is to be truly anonymous. The only things keeping you safe in many cases is that you've never given anyone enough reason to look you up. And now we get to the real story.

Online games can be tense and frustrating. For example, the first time I played an online competitive game, I was completely crushed in seconds and insulted repeatedly for my efforts. I chose to stick with offline gaming but others weather the storm and build their skills to the point they can keep up and even be good enough to win.

However, there are just going to be times that someone is better than you. That's frustrating enough, but when they're rude and insulting, it can be maddening. And for context, understand that the people who are the rudest are often younger males who believe they don't have to "pull any punches" since they don't have to face the consequences of their actions (an idea that was excellently portrayed in Disney's Pinocchio).

My point is, this kid was being an ass with abandon. What was his opponent going to do? Hunt him down and hurt him? Turns out the answer was yes.

And believe it or not, there's a lot of support for the attacker online. The sad fact is that there are still consequences for what we do, even if we're online. Similar to the adive every parent must give to their children of how posts last forever, we must also teach our kids not to draw undue agression. After all, how do you know whether the person you're "Teabagging" has the ability and desire to come after you in person?

Tags: , , , ,

Citibank Unable to Afford Secure Web Design

Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

UK Immigration Officer Put Wife on No-Fly List

This is awesome terrible. Apparently a UK immigration officer added his wife to the no-fly list when she was out of country effectively stranding her.

Based on the lack of details and the fact that she could have just taken a ferry not an airplane, this story doesn't really seem that likely, but it's making the rounds and the most important issue here is that the possibility of a single government official working alone abusing the system. While important security databases are poorly controlled, these kinds of abuses are possible.

Speaking of, I found a supposed copy of the no fly list online. Check it out!

Tags: , ,

Researchers Steal Cars With Wireless Ignition

Remote Car
(Image is used under the Pixabay license)

If you read this site much, you probably know I have a "guilty till proven innocent" attitude when it comes to new technology, particularly wireless technology. That's why it's no surprise to me (and hopefully no surprise to you), that they've discovered they can break into and steal cars that use wireless entry and ignition.

The researchers tested a few scenarios. An attacker could watch a parking lot and have an accomplice watch as car owners as entered a nearby store. The accomplice would only need to be within eight meters of the targeted owner's key fob, making it easy to avoid arousing suspicion. In another scenario, a car owner might leave a car key on a table near a window. An antenna placed outside the house was able to communicate with the key, allowing the researchers then to start the car parked out front and drive away.

Companies need to stop with this high-tech gadgetry until they commit to hiring brilliant security experts to design these systems for them. Even then, using simple wireless radio transmissions that any regular joe can produce with less than $500 of equipment is just a bad idea.

Tags: , , ,

Israel Airport Security is Good Because of Profiling

You know a good way to spot a terrorist? Look for someone who looks and acts like one (like they do in Israel)!

I know this ridiculous concept of banning profiling came out of the dark days of racism where people were profiles on things that didn't matter like the color of your skin. But that doesn't mean that profiling is wrong.

People profile all the time and they should. If you walk out to your car late at night and there's younger male with ratty clothes staring you down while sharpening a machete, should you keep walking since you "don't want to offend him by running the hell away"?

Give it a rest folks. If the TSA didn't have to give kids and the elderly the same attention as someone who's actually likely to be a terrorist, imagine how much smoother and simpler flying would be.

Tags: , , , ,

Yahoo Accounts Are Easy to Hijack

There have been some high profile hacks of Sarah Palin and Grady Sizemore and the best defense is to not use real information when answering challenge questions.

Just make a Privacy Alias and use it for places that want your personal information, but don't really need it. Of course, if you use an encrypted file to store passwords, you don't have to make an alias at all. You can just store completely new made up challenge answers for each site.

Tags: , , ,

Mint Data Lets You See Anonymous Purchase Trends

I've never liked Mint.com. Not because they're bad at what they do (they're not), but because you have to give them too much access to take advantage of it. So you get a little money management help, so what? You have to give away your password to do it. Not only that, Mint is (surprise, surprise) using all that juicy data you provide for their own purposes.

For now, it seems that they're not actually telling you who purchased what, but there's no telling when and if they'll start selling your valuable personal data to 3rd parties. Until then, showing truly anonymous purchase information is kind of neat so long as they don't take it further than that.

Tags: , ,

Hijack A Facebook Account in One Click

Facebook
(Image used under: Creative Commons 2.0 [SRC])

Ok so maybe not ONE click. But someone has put together a simple tool that you can use to take over the active sessions of anyone within wireless range of you. Hang out at the Starbucks free wi-fi and you'll be able to control the Facebook or other accounts of people nearby. It's an attack that was always simple to do for those who know how, but now any idiot can do it with a simple new interface.

By the way, they mention a few protections from this at the bottom of the article, but here's one more.

Tags: , ,

TSA Pilot Refuses Naked Scanner – TSA Response

Tsa Groping
(Image is in the Public Domain)

Maybe you haven't heard of this yet, but a pilot working for ExpressJet refused to use the new nudie scanners installed at his airport. They offered to pat him down instead, but according to him:

"Pat down is misleading," Roberts explained. "They concentrate on the area between the upper thighs and torso, and they're not just patting people's arms and legs, they're grabbing and groping and prodding pretty aggressively."

I've written about this previously as it's been reported that refusing the scanner will get you a ''super-sized'' pat-down almost like a punishment and this experience seems to confirm that.

Peter Pietra, the head of privacy for the TSA is a reasonable guy who I met at a conference once. I asked him about this issue and he stated that the procedures seemed to work as intended. People have the right to opt out, but must be patted down in the process. I asked him about the "aggressive pat-down" and he said this:

There is no retaliatory pat-down for people who decline AIT. There used to be several types of pat-downs, but there are now only two (standard, and resolution). People who decline AIT or metal detector, for that matter, get the standard pat-down, but our standard pat-down changed about a month ago .... There was a flurry of media attention about a month ago on it, and some complaints following the news articles, but not a lot. My rough recollection is a dozen or fewer complaints specific to the new pat-down.
There is no retalitory pat-down…people who decline get a standard pat-down

Along with my previous talks with him, this is the second time he's assured me that there is no special treatment of people who refuse the scan. While I'm positive there are people who abuse their authority or make things tougher for people who they think make things tough for them (asserting rights which also makes their job harder), here's the thing:

There are two pat-downs and while I don't know what warrants the second, you should only get the first by refusing to be scanned. Therefore, if your pat down is more extensive than what you see old people with heart devices getting, it's time to complain and complain loudly (which is what I believe this pilot has done and good for him). Peter says he thinks there's no problem because he hasn't received many complaints. If you think you've been a victim of retaliation or excessive probing, make sure he hears about it.

Make sure your voice is heard. You can connect with his office here: TSAPrivacy@dhs.gov

Support for the Pilot

There's been a lot of support for him in the airline industry (among workers not officially). Here are some of the industry forums where they're talking about him:

Jetcareers
Expressjetpilots
Flyertalk

UPDATE 2010/11/07

I recently went through the airport and also refused the scanner. I was patted down, but the TSA employee was very clear and professional. At no point did I feel uncomfortable.

It's a big deal if someone overdoes it and they should be called out, but it really wasn't a problem for me.

However, I was once told that signs would be prominently posted showing people they could opt out of the scan, but I found none anywhere.

Tags: ,

Prosecuting Whistleblowers

Toot toot!
(Image used under: Creative Commons 2.0 [SRC])

It seems there's a been a big push recently to punish those naughty whistleblowers who leaked government secrets and put everyone in danger. The only problem is, they didn't leak any secrets or put anyone in danger. Instead, they embarrassed their leaders and paid the price.

Tags:

If you want to learn more about my professional background, click here to learn more. Otherwise, let’s get started - how can I help?

Online learning
On-site learning
Read my blog