Wired Sage

I came across an article on Wired.com (no affiliation) today that struck a cord. It’s Time to Drop the ‘Expectation of Privacy’ Test is the title of the article. And after reading and thinking about it for some time I’ve come to a few conclusions.

1. Government can’t save us from ourselves.
2. People are stupid.
3. People with power are dangerous.
4. Lawyers and Politicians are people and they have power.

OK, I’ll confess, I knew this all along but the discussion of privacy in the Digital Age gave me an excuse to highlight these truisms.

What’s wrong?

In this equation it’s assumed, security + privacy = null. And security and privacy are both defined as perfect — perfectly secure and perfectly private. The assumptions of the arguments always go unstated, but the argument has been spiraling out of control because these variable haven’t been defined properly. What is a reasonable expectation of security? What is a reasonable expectation of privacy?

Security

Let’s first tackle the question “What is a reasonable expectation of security?”. As I stated above, I feel our problem with balancing security and privacy comes from our unreasonable wants, desires, and needs for perfect security. We are blinded by some Utopian dream-world where there is no crime and people do not die from the misdeeds of others. I hate to be the one to harsh your mellow, but that will not come to pass during this evolutionary stage of our species. We will have to be very different, physically and emotionally — so different, I imagine we’ll be a new species by then, another branch of the evolutionary tree — before we see this particular, violence-free, utopian, future.

The question remains. And as I write this I struggle with the answer, can reasonable security be defined by body count? Can we say a reasonable expectation of security be that no more people die in terrorist acts than die on the roadways in car accidents? Or do we look at it by incident? Can we say that our reasonable expectation of security is that no more than one terrorist act take place within the borders of a state per year? Every two year? Every five years?

Now I see the dilemma. As a species we have probably lived in communities for safety for too long. The world is just not safe and no matter what we do, we will never make it a perfect place where one will not be harmed by the actions of another. People die all the time. People die going to the grocery. People die going fishing. The government can not give you eternal life. The government can not make you perfectly safe. It is true that the government can do some things to help insure you’re not mugged, raped or murdered. I’ve seen it happen. A cop on every street corner in the 80’s made NYC streets safer. Streets are public and public implies the lack of privacy.

I personally like the idea of the body count criteria. I also like correlating terror-deaths with traffic-deaths. Sure, the horror of 9/11 was that most of the people who died, died at their desks at work. They thought they should be safe at work. But if you look at traffic fatalities, you can die on the interstate driving to work. You should be safe in your car, right? But traffic deaths we’re not outraged over. Probably because of the lack of intent to do harm. Negligence comes close to producing those feelings of outrage; drunk drivers come to mind for example. But still, 2000 dead on our roadways, no problem. 2000 dead and six months or more of constant media attention and we all collectively scream that we can’t have that now, can we?

Privacy

I agree that there shouldn’t be a test for privacy, it should be defined and guaranteed by our legislature. How would you define privacy though? The most basic communication occurs between just two people. Any personal communication between two people is definitely private communication no matter what circumstances or setting it happens in. If I’m talking to a girl I just met at a bar, our conversation is private. If I’m talking to a friend in the park, our conversation is private. If I’m talking to a stranger at a hot dog stand, our conversation is private. Could the conversation be overheard by a third party, yes. If that third party was a representative of the government, should that information overheard be admissible in court? No. Here I make the distinction between knowing, and officially acting on that knowledge.

But there are so many ways that two people can communicate: speech, sign language, e-mail, SMS text messaging, cell phone, fax, POTS land line phones, IP telephony, etc. Do we define all cases and methods of communication or do we just simply say that the conversation taking place was between two people and cannot be listened in on without a warrant? Warrants can no longer specifically be for ‘wire taps’, or for opening e-mail, or any other specific thing. There needs to be a new warrant in the digital age. One that allows the government agent to listen to a particular person, no matter what the setting, no matter what the method of communication. A digital-age-warrant. An official court document stating that this individual’s right to privacy has been temporarily remanded (a specific and short time frame) for the greater good of the society. I am all for letting law enforcement do it’s job, but I’d also like some checks and balances. Tell me again, who watches the watchmen?

Congress is the answer

Now I see how laws grow to volumes. I haven’t even covered conversations of small groups. Declarations of privacy, e.g. “Don’t tell anyone, but…” “This is just between us…” and the plethora of unthought of situations and circumstances. All of what we do as a species is communicate in one form or another. I don’t write laws for a living, so here I think I’ll leave that up to the people who do. Congress must act to protect our privacy. Congress must act to make our privacy a right. We should guarantee this as an amendment to our constitution. It is such a basic human right that many of us assume it is somehow guaranteed already.

Privacy must be paramount. Liberty must prevail. If you want to be secure, the government can put you in a small room, give you cable TV and Internet service, feed you three square meals a day, and let you exercise in the yard once every third day — it’s called prison.

The government can not ensure your protection. Surprisingly, the entity who has the most control over your safety and well being is you. Do you want to not feel like a sheep or lemming in public? Train yourself in self defense. Are you fearful that an attacker might use a weapon against you? Train with firearms and get a concealed carry permit. Take control of your life. Be the master of your own destiny.

Those who would sacrifice liberty for security deserve neither. -Benjamin Franklin

Santa Clause brought a new 13″ macbook for my eldest daughter this year.  He was kind enough to set up most of the laptop for her, but left a few tasks for me to tackle after the holiday.  One of which was email.

Apple Mail has some wonderful Parental Controls allowing the parental units to define a white list of who the child can exchange email with.  Fantastic Stuff!  But my problem was my daughter has an email address from one of my google apps domains.  I needed to figure out a way for her to ONLY use Apple Mail and not login to Google via the web to circumvent those Apple parental protections.

I decided just on a monster password that she doesn’t know.  One that she will not be able to remember or type in.  We’re talking 35 characters long, upper case, lower case, numbers, and special characters.  It’s not a perfect solution.  The password is saved in the Keychain, and she can get it out of there, when she figures it out, but it seemed like a good compromise for now.

I could blacklist the URL for gmail so she can’t access her email via the web on her computer.  But, that won’t stop her from accessing her email  from another computer if she can figure out how to get the password off her macbook.

I’ll do some more investigation around this later.  It would be nice if Google allowed an account to ONLY be accessed via IMAP.  I’ll look into if that’s an option today, and if not, I’ll ask Google for the feature.  I think it would be a nice option to have.

Yesterday we also set up iChat, so now we have a video intercom in our house.  It’s funny to video chat when your kids just down the hall.  She is completely enamored with the Alpha Channel options in Snow Leopard’s iChat.  We need to get a green screen now.

The world has officially come to an end.  The seas have turned blood red, the sky is on fire, and I hear the hoofs of the four horsemen approaching.  I joined Facebook today.

I have always felt that Facebook has it’s place for those who are not gifted with mad-uber-tech and zen-computer-fu skillz.  I never felt a need to join Facebook because I figured that if you knew me, you knew this is my web site (it’s on the bottom of all of my personal emails — just a click away) and you had all my contact information… if  you wanted to talk you just had to send me an email, video chat with me (skype, AOL or Yahoo!), or just use the phone — I’m in the book.  And here, on my own personal domain, in my own little electronic kingdom, I control my privacy completely.  If you don’t know me, my personal information on this site is pretty sparse and I feel confident that you’re not using this site as a resource to stalk me or my family.

Over the years I’ve gotten many friend requests for Facebook and for one reason or another I didn’t join.  Reasons included requests sent to my work email address, personal privacy issues, my impression that Facebook was just another re-branded version of MySpace, and Facebooks own EULA.  My content, whether you find it to be inane drivel or not, is mine and I will not grant license to any company or organization to use it as their own.  Ever!  The only thing left that we can honestly claim as our own is what we think, feel and say.  There’s no way I’m giving that up to a corporation.  Then again, I’m jaded.  I’ve seen people lose their reputations on-line.  I’ve seen people lose their jobs on-line.  I’ve seen people lose their identities on-line.  I’ve seen people lose their life savings on-line.  I’ve seen people lose their children on-line.  The Internet is a lot like New Jersey, it’s got it’s really nice parts, and it’s got drawbacks, and it’s got it’s really bad parts… except the bad parts of the Internet are way worse than Newark ever was.

So, now that you know my true, honest feelings about Facebook, I’m sure you are wondering, “Why the hell did you sign up?” Well, my brother came over for Christmas and, as a Facebook addict, he had to get on my iMac to tag someone’s wall.  I gave him the bah-humbug-facebook-shpil and he said, “Naw! You gatta look here… check this out.” So he gave me the tour.  Everything I’ve seen before except one thing.  One thing made me say, “Crap!  I have to join Facebook now!”

My 89 year old Aunt was on Facebook!

So, I read the EULA again, and three sections of it turned my stomach.  But, my 89 year old Aunt Edna on Facebook outweighed the drawbacks enough to make me join.  So I’ve joined, but there is no way I’m uploading any content of any considerable value to their site.  If you desire anything of substance from me, if you want to read anything other than a “LOL! you goof!” or a “Yeah, we need to grab a beer this weekend.” you’ll have to read it here.  Where, for whatever it’s worth, I own it.  It’s mine, all mine.

With that said, Facebook gets a minimum amount of personal information about me.  If you know me and friend me on Facebook, you’ll always have a quick, easy link to this website and you’ll always have a link to my photo gallery.

Well, that all happened.  It’s all true.  But there was something else.  Aunt Edna was the #1 reason I joined Facebook.  But there was one more thing that tipped the scales in favor of signing up at Facebook — Google Wave.  Google Wave integrates with Facebook.  So I don’t actually have to login to Facebook to participate in the conversations there.  I can do it all remotely, from Google Wave.  That to me is just cool.  I’ve grown to be a google fanboy of sorts, and anything that makes me use Google Wave more, can’t be a bad thing.

Google Wave might actually get me to sign up for Twitter too…

I was browsing my logs today. I get bored sometimes. As a security guy, it’s something I know I should do more often. It just seems a little pointless. No bragging here, my time is expensive. Every minute I’m not working is a minute I’m not securing my family’s future. I sound like an investment commercial there, but it’s true. In life, nothing is free, there is a cost that can be associated with everything. Like the costs of running this site. Some would argue it’s only a few dollars a month. I feel though that it’s more than that now. You see today, I’ve seen tracks… traces of an undesirable element in my log files. Yes, today, I have seen the tell tale sign of haxors.

zero sum game

I use that spelling specifically. I’m one of those old-fogies that call themselves a hacker. But I’ve never done harm. Never deleted a file. Never defaced a website. Never threatened anyone’s lively hood. I have played a practical joke or two. But nothing that brought any harm, real or perceived. In my mind a true hacker is a ‘computer enthusiast.’ A person who likes to play games and solve puzzles. A person who likes to cobble together creative solutions to technological challenges. For example, the other week I decided to see if I could have a radio-show without a microphone. Why? For the same reason people climb mountains, “Because it was there.”

Haxor is my way of identifying one who is not a true hacker. One who is trying to spread malicious code, create a bot network, deface a website, etc. You might have heard terms like script-kiddie, cracker, hijacker, etc. I like haxor.

Anyway, I started my site using iWeb to publish static content here. It seemed to work fine. But one of my very close friends, also in security, basically refused to come here because the created code was so javascript heavy. I kept my eyes open for a solution to this dilemma. I want something that I can quickly and effortlessly publish and update that produces good clean code. Another colleague of mine suggested WordPress. I did some research and found it to be quite nice. I have some reservations running a php based site, but I put a little effort into setting it up properly. I also found that I could use Gallery with iPhoto (there’s a nice plugin that allows me to publish effortlessly) and I now have a site that is accessible, robust and easy.

Today, I saw why I was originally hesitant of running a PHP site. The requests in my logs were for install configuration php files and other files that had my database password within. Now while this is distressful, it’s not something I didn’t expect to happen some time sooner or later. I didn’t think my site was popular enough to warrant a haxor presence, so on one hand I’m pretty flattered. On the other, I just have to wonder why? Is it because I’m in security? It is because I’ve upset someone? It wouldn’t be the first time, believe me. What is the benefit and what is the cost?

No-win scenario

Well, the benefit might be bragging rights that a security guy’s site was haxed. But there’s really not much to brag about. I put very little effort into securing this information.

What is that you say, Mr. Haxor? You own my database? You know my password? That password is either really lame and low security or randomly generated. It won’t even get you into my email. Believe me, it’s only used for the database. And I have backups of my database. Purge, reinstall, restore, and I’m back up again.

What is that you say, Mr. Haxor? You have uploaded nasty maleware to my site? No worries, rm -rf ./* will fix that. And I have backups of my site too. It might take a few days to upload it all, but you’ve done nothing but waste some of my precious time.

What is that you say, Mr. Haxor? You pwned me? You think this is a game. That’s funny, because I wasn’t playing any security games with you. I don’t have time to. You’re really not worth my time. Nor is finding and plugging any security holes in WordPress or Gallery.

Will I plug holes that you so rudely point out? Yes, because I don’t want to continue wasting my time restoring my website. Will that mean you won and forced me to play your stupid games? No. There is a secure way of using these programs, it’s just a waste of my time and website resources. Will I eventually do it? If you piss me off enough probably. But then again, where are you going if your goal in life is to piss people off? My guess, prison.

So everyone knows, this site is a soft target. Nothing special here. No time, money, or desire to secure it. If you’re just a griefer, realize this, I could not care less. As in, I care as little as possible. As in, this is my notebook. If it’s lost, burned, or soaked in coffee, I’ll just replace it.

If you crack this site I officially declare you to be a script-kiddie-wannabe. Weak. Lame. Tired. Pathetic. Go beat up a first grader. You’re still worthless. You have proven nothing.

Time to step down from my soapbox.