Silicon Shecky

Infosec Practitioner

Connect

Privacy vs. Security

By Leave a Comment

The GDPR is coming, The GDPR is coming!!!

Well all know that the GDPR goes into effect in May. As I was listening to the Defensive Security Podcast this week, they started talking a bit about how the privacy laws can affect security and security posture. It is odd to think that something like privacy which we are in favor of, can have a negative effect on security, but it can. If you think long and hard about it, not being able to access logs, to be able to see where people have been on their corporate computers, how secure can we make them? One of the first steps in corporate security is knowing what is on the network, and knowing what data you have. Now you have an employee using their work computer for personal business say online banking, or logging into a patient portal. Now lets say those are phishing sites that look very much like the real site and not only that but after the first login attempt, redirect to the real site. At what point do we have to stop in an investigation of say malware on the machine? At what point are they breaking maybe corporate rules. The corporation cannot compel the individual to opt into being monitored according to the GDP. Maybe the corporation has a policy of no personal stuff being done on the work computer. How do we know without being able to have the insight?

What we seem to be getting into is a sticky situation that really has not been thought through to logical conclusions, or at least most except the best case scenarios were not granted viability. In the end there is a balance required to get best security and privacy at the same time. Right now though, everything tend to be out of balance.

Google, What have you done?

By Leave a Comment

Google uses the moniker, “Don’t Be Evil,” but is that the truth behind the company? A look at Google Plus might change your mind.

Google+ is an interesting creature. One that is gaining popularity rather quickly. It is also one that might not last due to Google’s own policies.

The buzz around Google wanting people to only use real names in Google+ is gaining more and more steam. People are not happy with this idea. Everyone thought that Google+ would be better than Facebook. It definitely has the potential to compete with Facebook. The naming issue is turning into a stumbling block.

I will not go into depth on the whole idea of hiding from stalkers using a pseudonym in a social media setting. Instead I look at it from a natural way to know people. I have a great deal of online friends. I know them by their names from games, from forums, form other places that you don’t use your normal name. So when I see that Joe Shmo instead of DJ Cool J has added me to their circles, I have to sit back and wonder who the heck is following me? For that matter, Google+ is only as usable as the people you have in your circles, and if I cannot find them easily, which means nicknames, pseudonyms, etc, then I am not going to use the site.

Google though, sees the whole Social Media world as data. Just like search, just like AdWords, it is all data that can be used with algorithms to extract bits of information. That information can then be used to send targeted advertising to you. This increases the chance that Google and the company who is advertising can make some money off you. Its all about making a buck.

So should it surprise anyone that Google wants to mine what you say in Google+. What you Link to? Who you are? The amount of data that Google can dig up on each one of us through public means can really give a good profile of us. That can be used for Advertising, or worse, should Google decide to use it for “Homeland Security” purposes.

The book In The Plex by Steven Levey takes a good look at Google. Brin and Page (Google’s Founders) are all about the data and search. Data especially, because they want to have everything in the world indexed in one spot. Just imagine if that data fell into the wrong hands.

Facbook Video Chat

By Leave a Comment

Last week Facebook announced a new video chat powered by Skype. The question is, what does this mean for privacy?

Facebooks announcement last week of now having the ability to have video chats with friends was a big announcement. It meant that Facebook was doing something other chat systems have had for years. The partnership with Microsoft/Skype (that deal is still pending approval), is logical. The problems that Facebook can face though, have me wary of it.

First off, Facebook doesn’t enforce its own TOS, which has an age limit. We already have heard about cyber bullying cases. The video chat can take this to a new level. What about people pretending to be your children’s age, but really being pedophiles? This now takes on a different issue. There are 2 other things though that bother me about this.

First, encryption of calls. I haven’t had a full chance to play with the system, but nowhere have I seen any mention that the calls will be encrypted. Skype itself uses encryption on the client end, but Skype also is a P2P system, so the encryption happens at a person’s machine. Facebook looks to be a server solution, so are these call being encrypted, or can someone easily look in on them? I know some people are looking into this aspect.

The other troublesome part to me is a patent that Microsoft has from 2009 to silently record calls over a network. With the pending acquisition of Skype, it can be very easy for Microsoft to toss this technology in Skype, and the Facebook chat. think of it, your calls, your video, your “private” conversations, recorded without your consent, without your knowledge, and possibly without a warrant. This is not to say that they will, but the opportunity is there. Not only that, but think of Facebook’s stance on privacy. They have already said that they don’t care about it. People will get used to not having privacy. Imagine the information they can get from your phone calls.

I am not saying that these scenarios will happen, but they are possibilities. Some more likely than others, but they all must be taken into consideration.