Our country ‘tis of… Google?

I’m a fan of Google, always have been, but even I can tell that Google is well overstepping it’s bounds lately. First was the Google – China issue (which is still underway), you all remember that from my little bet right? This seemingly appears as a front for an NSA – Google partnership. Obviously since the NSA is involved not much information is available about the true intents and possible deals made with that little infringement on freedom. There is plenty of speculation, as well as many government conspiracy theories. This was one partnership that even got me thinking, but like a good little Google monkey, I pushed my fears aside on this one, even though the entire thing prompted EPIC to start an investigation into this matter.

Even more recently, Google has announced, and launched, “Buzz”. Buzz is Google’s new attempt at breaking into the social networking market, and they seem to be purchasing a few new companies as well as integrating existing social networks to help boost their success. Google Profiles is being pushed as well, a new way to use Google search to search through your friends Social networks and information just in case they might have posted somewhere something of value pertaining to your search. The idea of Google profiles isn’t bad, but the real world use is a bit asinine.

Next in line for Google is Google’s news about needing faster internet in the US and proposing a 1Gb fiber optic network and possibly entering in the ISP wars in order to push this. I’m extremely happy that finally someone is trying to push for fiber to home networks and not just sticking with the “last mile” fiber motto. However, the more concerning thing is Google becoming an ISP.

Gmail, Buzz, Google Voice, Google Wave, Google Profiles, Google Web-pages, Google Blogging service, Google IM, Google docs, Google Calendar, Google checkout, Google Phones, Google Books, Google Chrome (web browser and soon Chrome OS), Google web search with logging history which is also under fire and being asked for 2 years of data logging, and many many more. Google effectively controls and house’s more than it’s share of information and communications online, of which most is free for user’s. I appreciate and use many of the services Google offers, however I make no preconception that any of it truly is private. By itself, that is not that big of an issue for me, I’ve nothing much to hide and I realize how truly unsecure most information through any web provider or service really is. But that doesn’t mean there is information I want to be public or controlled by any one source.

Google’s partnership with the NSA is now becoming more alarming, as Google is heavily pushing to be become the world’s information storage bin, granting any rights to the NSA that’s not already in effect and scary enough, is truly just asking for problems. It’s pretty commonly recognized that National Security for any nation, especially Cyber Security, requires extraordinary and brilliant individuals. Most of the cyber criminals we hear about are Pirates and Hackers, usually bypassing copy-right protection, or hacking into servers like Twitter and launching DoS attacks. The type of guys hired by outfits like the NSA and the Chinese Government are the ones you don’t hear about. They are the people that develop the software and control many Botnet’s or find ways to hack TPM chips with house hold cleaners and rust removers. Providing people with any access to our Google Information as dangerous - even in a controlled industry like NSA - as these hackers is beyond scary.

Again I will recount, I was willing to let that ride unless more information became known, until I heard that Google was going to get into the ISP market. By their count, it’s only for a “testbed” and they are not intending to compete, but what kind of company puts down 1.3 billion for a fiber network and enters in a “test” ISP scenario without intent and staying there. Especially when ALL information used, obtained, viewed, or submitted online MUST first go through an ISP. We have come to realize that Google is all about information, and the control thereof. Selecting them as the gateway for this information, while having the NSA lurking in their bed, really is a rather frightening thought.

I’m not huge on conspiracy theories, even though I do like to embellish a bit. However it’s not hard to come to the conclusion that Google is entering worlds that would require FCC and FTC investigation and quite possibly go directly against their “do no evil” motto. Take from that what you will, but it looks ugly.

Google is going to be hard-pressed to remain on the good side, and keep their innocent appeal with the general public. They have started a “human rights” agenda and brought Google, the US government, and now Iran into the mix. Their Internet Freedom line of defense is extremely subjective while their are tempting fate with the NSA and jumping into the ISP market. I will be closely following this outbreak of information Nazism and look forward to watching Google walk this extremely fine line. With Apple watching and exacerbating every move Google makes I’m not sure how much of their business deals will remain secret.

Computer safety, Which OS?

A very long standing debate, both from experts, hobbyists, and general consumers. Which computer Operating System is the best? This question always ends up being synonymous with, which OS is more secure? The problem here is these two questions are completely and entirely independent of each other. Let’s look at both in more detail.

 Security:

This is a multilayer question. Hack attempts, malware, spyware, virus’s etc. generally have one common goal; to steal information and acquire access. Computer attacks mostly fit into 2 categories – Attacks for profit, or attacks to harm a large company, usually as a political statement.

Let’s start from the bottom and most basic. Physical access. Criminals with the intent to gain access to your computer by means of directly and physically accessing it usually do this in public areas, coffee shops, airports, stores, parks etc. They will either lift the entire machine, or quickly access it while if left unattended. Obviously this is not the most common, but does happen. I have worked for a company where several laptops storing sensitive information when missing or were stolen in public places.

In this scenario the thief has more tools at his disposal, but usually just wants to make a profit selling the machine. In cases that the machine has windows or linux, they will usually sell the machine as is, or reinstall the OS. However, if the thief does want access to the machine each is vulnerable, but I’d have to go with linux as the safest. Mac’s have a quick access account reset method that could be done in minutes. Holding Apple key + S while the system is rebooting will drop the user at a “root” prompt (root being system level access that is otherwise disabled on macs). After that it’s a few steps away from resetting the password or creating a new admin account. Windows has a similar vulnerability, ERD commander, which is used by many professionals to reset passwords or attempt to repair non-working windows machines.

OS and Web attacks:

This is really 2 parts, however they culminate into online based attacks. all 3 major OS’s have their flaws and security measures. Microsoft has by far added the most advanced and secure options as well as multiple ways to manage them. They now also offer free anti-virus software, which is as decent as any free and most paid subscription based anti-virus programs. The ads depicting Windows Vista with annoying Pop-ups asking for permission to run programs is NOT new to Mac or Linux users. Each ask for elevated privileges usually by asking for an Admin username and Password to run or install certain programs. Windows Vista did take it a bit farther by occasionally adding one extra security dialogue box, but nothing more intrusive then mac and linux already implement. Point being, when a virus or malware gains access to the system, it must also gain access to an admin account, making it a bit more difficult to infect. We can equate this to security measure to the protection you may have in your house. If the thief gets in your house without being detected, it’s up to your in-home security to block them, which most people don’t have. Anti-virus programs and these annoying security measures are a last resort step to prevent infection, and generally are not too effective on any platform. If the virus is new, or altered enough, your anti-virus program likely has not published a definition detection for it.

These leaves us with the entry point. The most important step in preventing attacks. there are 3 major points of entry with all 3 OS’s. Instant Messengers, E-Mail client (both web and module software), and the biggest being the web browser itself. Since there has been a major focus on security with all platforms it’s becoming more difficult for attackers to gain access to a computer, so the attackers must also adapt. Most attacks now use a form of social engineering in one way or another.

Instant Message attacks usually pop up in the form of a link. Bots are setup to spam as many contacts as possible usually with a saying similar to “Hey check this out”, or “Is this a picture of you?”. If the end user clicks the link they are directed to a site that instantly downloads Malware/Trojans, then infects the users IM account and sends the same link and quote out to everyone on their contact list. This results in getting what seems to be a legit IM from a friend saying they found a picture of them and to go check it out.

Email, or “Spam”, is a very common practice to infect PC’s. This can range anywhere from free or cheap medication, real estate properties, to something more convincing like spam appearing to be from fedex saying they were unable to deliver a package, or delta saying that a flight plan had changes. The latter usually containing a zip file with supposed information about the problem. Once the zip file is opened, or the link is clicked the computer is infected and begins spamming out messages from the users mail client as well as opening holes for attackers to use their computer in a “botnet”. Anti-virus programs are usually useless against these attacks, relying heavily on spam filters to block both executable files and harmful links, but they still can and will get through with enough effort.

Onto the browser attacks. Browser attacks are the absolute most common and devious attacks, spawning arguments, debates, and development cycles commonly known as the “browser wars”. The vast majority of attacks on a computer come from browsers and always implement a certain level of social engineering. A website may clone a legitimate website, appearing to the user to be exactly where they wanted to go. Upon entry, or clicking on a link, will start downloading and infecting the users machine. Other attempts will advertise a video, game, download, or other such material enticing the user to visit based on the user assumption that they would truly like to view or use the advertised product. There is almost no end to the number of infected sites falling in this range and often requires great care and scrutiny from the user to avoid these traps. This type of attack usually exploits a security hole in the web browser or 3rd party plug-in to gain access, especially when the site includes Flash or Java content. All browsers developers work extremely hard to prevent security holes and patch their software, but they do require the user to constantly update their software.

In the end, attacks come down to very basic elements. if a user is not allowing automatic updates, or downloading updates that require manual updates, they are more prone to attacks. Every OS, browser, mail client, and IM client require regular updates to remain safe and must be attended to. In a more fundamental aspect, since these attacks on the general public are aimed at money and pure numbers. The most common OS/browser/IM client used are quite obviously going to be the most common attacked which sheds a very real light on what advertisers would rather you not know. It’s not a matter of what OS is more secure, it comes down to what OS holds the largest user base that will be most frequently attacked. If windows was the minority in the OS wars, it was suffer far less attacks then a Mac.

In an article from Cnet, Jeremiah Grossman from WhiteHat Security put it best, “from a consumer's perspective you probably should be using the word 'safe' rather than 'secure'; two completely different things. 'Secure' is a supermax prison. 'Safe' is a playground in suburbia. Follow?”

In the end, consumers should not be looking at their choice from a security perceptive. The choice should be summed up by what you need from your computer, and what options each has to meet your needs. State of security will be a combined effort between software updates and extreme caution. Until Software developers are able to remove the human element and social engineering aspect of security vulnerabilities, nothing will ever be secure on the net.

Blippy – Why?

Blippy, a new social networking site designed to display personal credit card transactions automatically after purchase. Here we have a great example of peoples complete lack of interest in personal safety and security. Publicly posting up to every transaction, location, price, item, and frequency of use goes in direct violation against what we’ve come to know about personal identity protection.

Imagine, for a moment, that you were the criminal who is attempting to steal someone’s identity. One common known security practice put in place by credit card companies is flagging purchases made that exceed certain limits or go against a purchasing patterns that a customer generally follows. I know my card has been deactivated before because of unusual activity, be it several purchases in a day that don’t match my typical shops, or frequent use in another state. Blippy has made overcoming this security measure effortless. Simply steal a card, check Blippy, follow purchasing patterns.

Let us also take into consideration location tracking. This is already a problem among frequent social network trend like facebook and twitter. Users will frequently update their status via mobile phone or other device on what they are doing and where they are doing it. Aside from being extremely annoying to some, this allows other to track the exact location of an individual. In a more criminal state of mind, the mix of all these networks could allow them to track a target to a bar, wait until they have a few drinks, use social engineering to get close to their intent and lift a purse or card. Then they have free reign for the next several hours or possibly days to buy items following a trend from Blippy before they need to ditch the identity and seek a new one.

Obviously this is an extreme case scenario, but it’s also a case that would be virtually eliminated without constant updates to free and open social networks. Now I’m not against social networks, I use them, however I don’t constantly update them allowing people to track my movements. Most of these technologies help us all stay connected to the world around us and make it easier to pass information along. However we also have a great need arising to be more aware of the adverse effects these outlets could potentially have. 

Blippy is a prime example of social networking going too far. The negative effects present behind this idea far out-weight to positive advertising and social connection it might provide. If you would like to keep your friends up-to-date on shops or items of interest, feel free to post them. Not everything needs to be public and most certainly doesn’t need to be available instantly and automatically. I feel it’s only a matter of time until we see a headline involving theft or even death due to blippy’s publications.

How do you feel about this social networking idea, is it something you would use or feel is a good product? Leave your feedback and opinion.

Google vs. China

Recently, a good friend and I have entered into a bet involving the Google – China fiasco.

My side - likely scenario, Google will likely leave China. However I also entertain, and hope for, the idea that China may be backed into a corner and lift it’s skirt a bit.

My friends side - Google will absolutely not leave China and China will certainly not modify it’s laws.

The Story:

For those of you that are unaware or vague on the details of this issue, allow me to present the back story. Earlier this month Google announced it, and up to 30 other silicon valley based companies, had been victims of a cyber-attack aimed at obtaining intellectual property.  Google quickly made this a very public matter, and urged many of the other 30 companies to also go public with this information. Several Gmail accounts, mostly Chinese Human Rights activists, were compromised although reports indicated that the contents of the accounts were had not been infiltrated.

During this announcement, Google also expressed concern about the Chinese laws centered around government censorship and stated that it would no longer censor it’s searches. Google rolled back it’s self-censored filters and sent most of it’s China HQ staff on paid leave to investigate the recent hack attempts.

The issue has now risen beyond business ethics straight into the world of politics. Last Thursday, Hillary Clinton made a public speech about  internet freedom, which seemingly stemmed directly from Google’s decision to stand up to China and those who would censor internet freedom. Obviously, China was not very happy with her remarks and their mouth piece blasted the U.S. for being hypocritical.

Opinion:

Google, being a business that is ran on the foundation of it’s reputation and ethics, would be shooting itself in the foot to make a stance against such a blatant crime against internet freedom without any kind of follow through. While I fully understand that it has dumped a lot of money into launching and operating in China, I don’t believe they would have made the issue so completely public and continue to draw attention to it without being prepared to follow through.

Google has also been hit with bad press about opening and censoring themselves in China to begin with. Since their launch in 2006 Google has only managed to take a small share of the search market in China. Their slim hold in China may also be a deciding factor in Google being so willing to pull out as it may not be such a lucrative investment after all. What better way to bring in more business and attract more clients, as well as brush of a directed attack and infiltration, then to make someone else out to be the bad guy and protest them publicly.

Whether it’s a PR stunt, or a true ethical issue driving their decision, I really don’t see Google as a company willing to make idol threats of this caliber.

Leave some feedback, what do you think of the situation?

(and yes I realize the irony of using a Google owned blogging service to post this.)