CAT | Social Networking
This article describes a clever attack against Secret, the “anonymous” secret sharing app.
Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.
In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.
Russia seems to have a conflicted relationship with Twitter and Internet censorship in general.
While trying to portray themselves as open and democratic, they clearly have a real problem with the radical openness of social media like Twitter.
Maxim Ksenzov, deputy head of Roscomnadzor (Russia’s censorship agency), said Twitter is a “global instrument for promoting political information” and that they could block Twitter or Facebook in minutes.
Prime Minister Dimitri Medvedev responded on his Facebook account, saying that state officials “sometimes need to turn on their brains” rather than “announcing in interviews the shutdown of social networks.” Which is not quite the same as saying that they would not do so.
The primary desire in Russia is for Twitter and all other social networks to open offices in Russia. That would smooth communications, but also provide leverage to push for censorship or access to data as needed.
For millennia people have asked the question “what happens to us when we die?”
While the larger spiritual question will continue to be debated, the question about what happens to our on-line data and presence is more recent, and also more tractable.
Until very recently little thought has been given to this issue. Accounts would continue until subscriptions lapsed, the website shut down, or the account was closed for inactivity.
This has lead to some rather creepy results. I have lost some friends over the last few years, but I continue to be haunted by their unquiet spirits, which remind me of their birthdays, ask me to suggest other friends for them, and generally keep bobbing in my virtual peripheral vision.
Many social media sites do have a process for dealing with accounts after the death of their owners, but they are cumbersome and I have never actually seen them used. Generally, they are only engaged postmortem, by the family of the deceased. Assuming that they don’t have the passwords to the account, they need to contact the provider in writing and provide proof that they are a relative and of the death of the account’s owner.
Google has an interesting idea that I would like to see other sites adopt. They have set up the “Google Inactive Account Manager” which allows the user to specify what will happen in advance. The user specifies what length of inactivity should be taken as a sign of death. Once that is triggered, Google contacts the user using secondary email accounts and phone numbers, if available, to make sure this was not just a long vacation or a loss of interest. If there is no response to that, then the Inactive Account Manager kicks in.
It notifies a list of people that you specify that this has happened. You have the option of having your data packaged up and sent to some or all of those people. Finally, you may have it delete your account, or leave it available but closed as a memorial.
This may not be the perfect implementation of this concept, but it is an important step.
So please, set up your digital will, and lets put a stop to the digital zombie apocalypse.
Welcome to episode 7 of The Privacy Blog Podcast.
In April’s episode, we’ll be looking at the blacklisting of SSL certificate authorities by Mozilla Firefox – Specifically, what this complex issue means and why Mozilla chose to start doing this.
In more breaking online privacy news, I will be discussing the security implications of relying on social media following the hacking of the Associated Press Twitter account earlier this week.
Next, I’ll chat about the “right to be forgotten” on the Internet, which hinges on the struggle between online privacy and free speech rights. In a closely related topic and following Google’s release of the new “Inactive Account Manager,” I will discuss what happens to our social media presence and cloud data when we die. It’s a topic none of us likes to dwell on, but it’s worth taking the time to think about our digital afterlife.
Last week the Twitter account of the Associated Press was hacked, and a message posted saying that bombs had gone off in the white house, and the president was injured.
Obviously this was false. The Syrian Electronic army a pro regime hacker group has claimed responsibility, which does not prove that they did it.
There is talk about Twitter moving to two factor authentication to reduce similar hacking in the future. While this is all well and good, it will not eliminate the problem.
The bigger issue is that these poorly secured social media sites are used by people around the world as reliable sources of news.
Apparently much of the crash came from automated trading systems parsing the tweet, and generating immediate trades without any human intervention at all.
The DOW dropped 140 points in 5 minutes.
The creators of these trading algorithms feel that news from twitter is reliable enough to be the basis of equity trades without any confirmation, or time for reflection.
Certainly very large amounts of money were made and lost in that short period.
Why make the effort to hack into what we hope is a well defended nuclear power plant or other critical infrastructure, when you can get similar amounts of financial damage from subverting a nearly undefended twitter account.
Because individual twitter accounts are not considered critical infrastructure, they are hardly protected at all, and are not designed to be easy to protect.
Nevertheless we give it, and other social media, substantial power to influence us and our decisions, financial and otherwise.
Take for example the crowd sourced search for the Boston bombers on reddit. Despite the best of intentions, many false accusations were made that had major impact on the accused, and one can imagine scenarios which could have turned out much worse. What if the accused at committed suicide, been injured in a confrontation with authorities, or been the vicim of vigilante action? Now, what if there had been malicious players in that crowd intentionally subverting the process. Planting false information, introducing chaos and causing more damage.
This is an interesting problem. There are no technical or legislative solutions. It is a social problem with only social solutions. Those are often the hardest to address.