Immutable Security

Awhile back I signed up for the CouponMom.com newsletter (hey, who doesn’t like to save a few bucks), using a very unique and distinctive e-mail address used only for this purpose.

Awhile later, I started to get garden variety spam to this e-mail address (Viagra, etc).

There are a few reasons this could happen:

1. I have been compromised and the spammers think it would be clever to use that address.
2. Spammers start spamming that address as a matter of chance or because they think, “hey, this guy likes Coupon Mom, maybe he’ll like some male enhancement!”
3. Coupon Mom is supplementing her income by spamming or selling the data, which makes its way into spammer’s hands.
4. Coupon Mom has been compromised.

Usually, when this happens, it’s number 4.

I got to thinking, “hey, they might want to know there might be a problem. I should tell them.”

I fill out their contact form and wait. More than a week goes by with no response.

I try to post a cautionary word to the forum. More than a week goes by and I don’t pass moderation.

I fill out the form again, indicating that it would be better for them to investigate this and notify their members of a breach, if one happened, than it would be for me to speculate about it.

Finally, I get a response. The response, in part, states:

You must have signed up for a Google advertiser link on the site, since the email signups for my site are not shared with any other party.

I am sorry you have had this experience, but caution you against publicly slandering The Coupon Mom program and our member database as the source of the unsolicited email.

Can I say that the Coupon Mom database has been breached? Categorically, no. But I can say that there are symptoms which, in my opinion, should cause a reasonable person to take a closer look.

What’s the lesson here? When someone tells you of a potential problem with your security, don’t just assume you are impenetrable. That person may serve as an early warning of a serious problem you would want to be on top of.

My wife got an Apple iPhone over the weekend. It’s an amazing piece of technology. Apple has done a fine job adapting a traditional computer into a phone form-factor. It truly sets the bar at an entirely new level for portable computing. Of course, there’s also an integrated phone.

I emphasize that it’s a computer because it has all of the characteristics of a computer. With the iPhone, the phone is simply another application on the computer–not unlike a Skype application might be installed on your Windows computer.

Our models of computers and phones have strong, but mostly disassociated relationships. We have a history of using computers as an important extension of all sorts of information. We understand that allowing others to have total control over our computers in generally a bad thing, whether that someone is a government entity, corporation or script-kiddie. Phones, on the other hand, have traditionally been far less complicated. There is a pretty basic hardware device and a service provider. The risks are well understood.

As I was playing with the iPhone and trying to find ways to meet my wife’s IT needs, it became increasingly clear how little control I had over this computer. Without jailbreaking the phone, I had no way to get a shell, and therefore no way to collect logs, change passwords, harden the underlying OS, install intrusion detection, or do any of the other things I would normally do to a computer I managed. Apple was my only source for applications and only those applications which Apple approved of could be installed. My hands were completely tied.

Unless I jailbreak this phone and accept the risk of something else not working, or Apple breaking it in an update, and explore the ethical questions as a result of doing so, I am completely at the mercy of Apple for the phone security and functionality. My risk assessment is theirs. My acceptance of risk is their acceptance of risk, which undoubtedly is primarily influenced by their bottom line.

This goes far beyond risk management. Imagine the outcry if Microsoft only allowed applications which they permitted to be run on Windows. We would have a world entirely dominated by Microsoft.

We need to lobby our lawmakers to, without equivocation, absolutely require computing platforms to be open enough for fair competition and where one company cannot call all of the shots. This is not about open source, this is simply setting requirements for a heterogenous platform where the risk of total control of data is minimized.

As the world becomes more mobile, this will need to be increasingly recognized as an essential liberty.

I recently started getting spammed by Incredimail.  I’m not going to give them the courtesy of a link here, but Incredimail is one of those useless (to me) applications that is supposed to make e-mail “fun” by junking it up with a bunch of graphics. I prefer my e-mail plain-text, thanks.

The interesting part is that they are spamming an e-mail address I have only used to provide my parents help with their computer. When I setup Remote Assistance for them, I used an address very distinct and which I have never used anywhere else.

It seems that they harvested the “to” address and decided I needed some of their useless junk, despite not so much as an unsolicited “invitation” (which would still be spam) to receive their newsletters.

Spam is spam, whether it comes from some guy in Elbonia hawking Viagara or from some supposed legitimate company. Don’t do business with spammers. Don’t use Incredimail.

A few of my posts have involved debating the ethics of public web app testing by security professionals. When the good guys poke and prod public web apps it raises a bunch of ethical questions, besides being legally questionable. Rather than recap my thoughts again, I invite you to read the article which I wrote for this month’s “ISSA Journal.” If you like the article and like some of the articles in the Journal archive, please consider supporting ISSA by joining. I have found it to be pretty valuable.

As always, I welcome your feedback. Feel free to challenge my assertions. All constructive comments will be let through moderation.

Who knew that a bunch of librarians could produce cool, online tools? Well, the folks over at the Copyright Advisory Network have done just that. Here are four tools to help you navigate the sometimes confusing and seemingly obscure US copyright law:

• The Public Domain Slider is my favorite of all of these tools. For example, did you know that a copyrighted work first published prior to 1923 is now in the public domain? That means you can use, sell, redistribute and do whatever else you want to all sorts of wonderful print, audio and video. Go ahead and post them to the file sharing sites and have a chuckle if you get a cease and decist letter.
• The Section 108 Spinner is primarily for librarians and archivists. Under certain circumstances, they get to reproduce entire copyrighted works. Those wiley librarians get to have all the fun!
• The Exceptions for Instructors eTool is for, well, instructors.  Just like librarians, instructors can laugh off all of those litigious attorneys who would rather they didn’t know their rights under copyright law.  Am I the only one picturing a teacher with a cape and a big © on their chest?
• Finally, the Fair Use Evaluator helps you to make a subjective determination whether your use is defensable as fair under the law. Remember, fair use of a copyrighted work does not require the permission of the copyright holder. Also remember that it is a defense to infringement, which means that a judge gets to decide if your use was fair once sued.

Until next time…

To the best of my knowledge (and I am not an expert), material produced by the government, (with certain exceptions) with taxpayer money is in the public domain. As well it should be. If we paid to produce it, it makes sense that we should have access to it. Public domain material is truly free. It is not copyrighted. It’s accessible to anyone for any reason to do anything they want with it. You can copy it, re-use it, make it into other works and make nice bird houses out of it.

Bill Harbaugh, Professor of Economics at the University of Oregon has challenged the Oregon Attorney General by posting the “Oregon Attorney General’s Public Records and Meetings Manual” online, in direct defiance of a warning from the AG.

The AG believes this is copyrighted material, despite his public position and despite that this is a guide which explains how one can access various public records. That’s an understandable position for the Oregon AG to take since they sell it for $25.

Today, I applaud Bill Harbaugh. This guy has a set. We need more people, and especially more well-educated and respected people to draw a line in the stand against abuse of copyright law. Remember, copyright law (at least in the U.S.) was designed to ensure a balance of rights between the creator and the recipient. It is not designed to give the creator absolute rights. At least in this case, it doesn’t even appear that copyright law should apply. It seems clear that this document should be in the public domain.

Way to go, Professor Harbaugh!

Recently, I blogged about how Amazon removed certain legitimately purchased eBooks from Kindle readers. One of those books, ironically, was George Orwell’s “1984.”

Today, I learned that they’re trying to make up for the incident. According to this thread, affected users are being offered the book back or a $30 credit.

While the DRM issues are still concerning, this is a truly great response from Amazon. They know it was a mistake and are trying to make good.  Hats off for customer service.

Amazon, let’s take it one step further and get rid of the DRM on the books. Get rid of the contractual agreements that force users to leave their rights under US copyright at the door. People will still pay for a good product and we will have freed the information. Do the right thing and I’ll become a customer of your digital wares.

Recently, I blogged about the ethical ramifications of hacking websites by security professionals. They probe the sites, discover vulnerabilities, notify the companies, then blog about their exploits. I haven’t decided yet whether or not I consider this an ethical practice and something security pros should be doing. On one hand, companies should be protecting their customer’s information. And if the site is public, they should have an expectation that it will be poked and prodded. On the other hand, security pros have an ethical responsibility to only test the security of sites they are authorized to test. It’s clear that they aren’t obtaining authizoration for these tests. And that may very well be illegal, to boot.

Today, I ran across this guy (I don’t know his name) who reveals some security problems in Sears’ website. It’s a problem worth discussing. He makes legitimate points on the security of gift cards. It’s something that people really should be aware of.

But does that justify his actions? I’m still on the fence about this one. It sounds like we need a framework to deal with this problem. We need to stay professional and on the right side of the law, while at the same time exposing poor security.

What do you think? I’d be interested in hearing your perspective.

By now you’ve probably heard about how the Amazon Kindle erased some e-Books that were legitimately purchased. One of those was George Orwell’s “1984.” I don’t think I have to explain how that just oozes irony. Amazon apologized–a truly class act.

Today, the Consumerist ran a story on how they can’t quite get a straight answer about Kindle licensing. Licensing for a book, you say? Well, yes. Remember, with DRM things aren’t always what they seem.

You see, when you buy the eBook, you’re not really buying the book. I know, it seems like you paid for it, so it’s yours. But, according to Amazon, you really only have a license to read the eBook. It’s as if there’s some sort of special privilege they are granting you to feast your eyes on the author’s creation. Think of it as a long-term rental, which may expire at any given time.

They limit how much text you can clip from the book. US Copyright law allows you to use portions of copyrighted work without the author’s permission under certain circumstances. How much you can use very much depends on context. The courts have looked at individual cases in the past and applied certain sniff tests to determine if the use was fair. But if you buy an eBook, the author calls the shots. What you end up with is a situation where you don’t need their permission to sample the work, but where the digital locks, to which only they hold the key, effectively keep you from exercising that right.

Finally, as the Consumerist article points out, not much of this is that clear up-front. You may not actually find out about the restrictions until you run into them. By that time it’s too late.

eBook readers are convenient–there’s no doubt about that. But as I’ve said before, realize that this convenience comes at a price. That price is the loss of freedom. Think about that.

I have observed a trend recently that has me internally debating the ethics of the practice. Security professionals are probing public web sites for vulnerabilities, then going through a “responsible” disclosure process with the owners of the site. Then they blog about their exploits and how responsive the owner was to being notified.

How is this different than traditional hacking by the bad guys? Does the disclosure process make it any better? Does the fact they do security for a living and write for security journals make it more ethical? And what of the applications that are vulnerable to routine exploits? What does one do with a successful SQL injection query that just gave you a table full of social security numbers?

On the surface, it seems unethical to me. Attempting to break access controls, even if they are weak, is unethical and maybe illegal. Doing something untoward against another computing resource for which you do not have authorization is treading on thin ice.

But there’s another side to the story here. Applications are moving more towards the software-as-a-service, or SaaS model. Whereas once you would have been able to download the software and legally and ethically reverse-engineer it, now the application is only hosted on another computer. This changes things in a big way, since you’re working on someone elses computer now.

The argument could be made that since the application is public, then there is an expectation that it wil be poked and prodded, so it might as well be the good guys who do it. The bad guys aren’t going to go through a responsible disclosure process, so by the good guys testing the application and making the flaws known to the application owner, everyone benefits (as long as they actually fix it). It can also be said that for security to continually improve, we have to continually test it. If the world is moving towards a web-centric model, we have to move with it.

Honestly, I can see both sides; yet, I am still left with the feeling that, in many cases, it’s nothing more than the security guy trying to have some fun and make a name for himself. If that’s the case, he should carefully consider what that name may be.