I just reviewed "Googling Security: How Much Does Google Know About You?" by Greg Conti and gave it 3 out of 5 Amazon stars. Here is the review, also posted here:
Fails to Scare A Paranoid
I think the book has good information and I enjoyed reading it. However, as I was reading the book, I developed an impression that this was a book meant to scare the reader into some kinda behavior change. In other words, I felt that the book was written to highlight the risks, to explain why given somebody so much information about your online activities is a risky, bad thing and that you should do something differently.
Despite the fact that I enjoyed the book, I think this is where it fails. As somebody who works in security, I consider myself to be pretty paranoid, but the book failed even to scare me! After reading it, I did not become afraid of Google at all. The author highlights some of the presumed risks, but he fails to present scenarios that make the dangers come alive; instead, he makes vague statements ("you know, it can be pretty bad"). So he ends up with a “non-scary Scary Tale.”
For example, when talking about ads, and especially targeted ads, the book suggests that such consumer profiling is scary, but doesn't explain how and why.
To conclude: the book presents a good story of how much Google knows about you, but my impression was that the risks are not made to be scary enough and few resulting behavior changes are suggested. It goes a little like this at time: “OMG, you CAN be hit by the car if you cross the street!” A couple of times while reading it I thought that “you have no privacy, get over it” trumps what's written in the book...
Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts
Friday, March 27, 2009
Wednesday, January 30, 2008
Online = Public
Yes, I've heard of access controls and such. However, it is more useful and safe to believe what was mentioned in the article: "It is ridiculous to think that there is privacy on public websites." (not to say that it is true in all cases...)
If you are sharing online - think 'you are sharing with the world.' If you want it private, keep it private (= offline) ...
If you are sharing online - think 'you are sharing with the world.' If you want it private, keep it private (= offline) ...
Tuesday, January 22, 2008
IPs Now Private Info?
Thru ha.ckers.org we learn (original here) about something that might have pretty dramatic implication to logging and log management: "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday." (the quote is related to EU fight with Google, also described there)
Wow! If accepted, this will quite some implication to logging (ha.ckers.org outline a few fun implications as well), since it will dramatically increase the sensitivity of logs and will turn all logging projects, no matter how small and tactical, into "PII collection efforts" with heavy privacy price to pay.
Now I have to share the dirty, evil thought that crossed my mind when read it: at one point, Google and other companies should just boycott those "'dumb privacy' freaks" and conduct a wonderful experiment: how long those Europeans will survive without search engine "service?" But wait a few years, Google, before pulling a plug: it will make sure that Internet becomes truly indispensable ...
Also, what do I mean by "dumb privacy"? Am I anti-privacy? No (not anymore), this is where I explain it. I did experience my eureka moment during a webcast on privacy when I realized the existence of a "privacy chasm" (see more here)
UPDATE: Richard Stiennon calls it "crazy talk of the third degree" here.
Wow! If accepted, this will quite some implication to logging (ha.ckers.org outline a few fun implications as well), since it will dramatically increase the sensitivity of logs and will turn all logging projects, no matter how small and tactical, into "PII collection efforts" with heavy privacy price to pay.
Now I have to share the dirty, evil thought that crossed my mind when read it: at one point, Google and other companies should just boycott those "'dumb privacy' freaks" and conduct a wonderful experiment: how long those Europeans will survive without search engine "service?" But wait a few years, Google, before pulling a plug: it will make sure that Internet becomes truly indispensable ...
Also, what do I mean by "dumb privacy"? Am I anti-privacy? No (not anymore), this is where I explain it. I did experience my eureka moment during a webcast on privacy when I realized the existence of a "privacy chasm" (see more here)
UPDATE: Richard Stiennon calls it "crazy talk of the third degree" here.
Thursday, October 25, 2007
Damn Them Logs :-)
When I see stuff like this, I cannot stop but think - got a 'Delete' key? USE IT!!!!
"Caution: Visit the Phoenix New Times online site and automatically become ensnared in an Arizona criminal probe.
"Caution: Visit the Phoenix New Times online site and automatically become ensnared in an Arizona criminal probe.
That's because Arizona authorities are demanding the Phoenix New Times to hand over the names and internet protocol addresses of anybody who read its online news site since Jan. 1, 2004."
Stuff like this gives logging a bad name in privacy circles ... And you know what? Maybe they are right... sometimes. Just reach for that "Delete" key....Monday, September 24, 2007
Fun Privacy Discussion
I took part in this privacy-related panel podcast (audio here, description here) titled "Do we have privacy anymore?."
It was actually very fun since I tried to play the devil's advocate and steer the discussion towards "Do we WANT privacy anymore?" And you know what? While doing it, it dawned on me that there are "two privacies" or a "privacy chasm" of sorts.
On one hand, we have the "Facebook pix don't matter crowd" (sample)
On the other, we have medical record sharing among "partners"
etc, etc.
I think loss of privacy is not a big deal. Really! If you don't like your privacy, just toss it :-) like many did. However, the loss of CHOICE of what gets shared/publicized IS a big deal.
To summarize, I bet all people, who think that pics of them naked on Facebook are perfectly OK, will NOT want to be denied employment since their doctor shared their health issues with their insurance which then shared the info with their would-be boss ...
It was actually very fun since I tried to play the devil's advocate and steer the discussion towards "Do we WANT privacy anymore?" And you know what? While doing it, it dawned on me that there are "two privacies" or a "privacy chasm" of sorts.
On one hand, we have the "Facebook pix don't matter crowd" (sample)
On the other, we have medical record sharing among "partners"
etc, etc.
I think loss of privacy is not a big deal. Really! If you don't like your privacy, just toss it :-) like many did. However, the loss of CHOICE of what gets shared/publicized IS a big deal.
To summarize, I bet all people, who think that pics of them naked on Facebook are perfectly OK, will NOT want to be denied employment since their doctor shared their health issues with their insurance which then shared the info with their would-be boss ...
Thursday, September 13, 2007
Pre-post on Logging and Privacy
As I am working on a long and fun blog post related to logging and privacy, here is one fun bit: semi-silly predictions of privacy (lack thereof) in the year 2020.
And, of course, a fun logging bit: "All e-mail and logs of network and search activity will be stored permanently. " (I am assuming one needs also to add: all activity on computers and networks is logged, as I said here)
And, of course, a fun logging bit: "All e-mail and logs of network and search activity will be stored permanently. " (I am assuming one needs also to add: all activity on computers and networks is logged, as I said here)
Tuesday, September 04, 2007
What Happens If One Marries ...
... a screwed-up security to a screwed-up privacy?
Answer: NASA. The idea is disarmingly simple: require very detailed background checks for all employees, collect mammoth amounts of data and then lose it (the last part hasn't happened yet - but I am pretty sure it is in the works :-))
But people figured that will fight it! Can they win?
Answer: NASA. The idea is disarmingly simple: require very detailed background checks for all employees, collect mammoth amounts of data and then lose it (the last part hasn't happened yet - but I am pretty sure it is in the works :-))
But people figured that will fight it! Can they win?
Tuesday, July 03, 2007
On Banks Checking Your PC Before Transactions?
Is this good? Is this scary? Do you want your bank "doing a NAC thing" on your PC before allowing you access? "Banks are seeking access to customer PCs used for online banking transactions to verify whether they have enough security protection."
After I thought about it for a while, I decided that it IS a good thing, UNLESS their policy will now say that "customer is liable for all web transactions" [including those done by malware not detected by the bank security check...].
If that will indeed be the case (the article doesn't say it though), it will be be time to change banks "because of security." :-)
After I thought about it for a while, I decided that it IS a good thing, UNLESS their policy will now say that "customer is liable for all web transactions" [including those done by malware not detected by the bank security check...].
If that will indeed be the case (the article doesn't say it though), it will be be time to change banks "because of security." :-)
Thursday, June 28, 2007
He-He, Privacy :-)
Dancho Danchev reports:
"POSTACRIME.COM is a free service for anyone to upload photo or video content of burglary, theft, vandalism, or other criminal acts that have been caught on camera for the purpose of identification by the public."
Things like this further strengthen my impression that old definition of privacy ("right to be left alone") is about to die ...
"POSTACRIME.COM is a free service for anyone to upload photo or video content of burglary, theft, vandalism, or other criminal acts that have been caught on camera for the purpose of identification by the public."
Things like this further strengthen my impression that old definition of privacy ("right to be left alone") is about to die ...
Wednesday, June 27, 2007
Google, Privacy and Stuff Like That
I dunno, it took me a while to say something about this whole Google vs Privacy Intl debacle.
First, I actually learned about it from ha.ckers.org (see this thread), where the author takes a pretty extreme (IMHO) view, siding with Privacy Intl. '
I commented thus: 'This looks to me like an opportunity to SCREAM: “You have no privacy, GET OVER IT.” So they collect and analyze data on us - great. So?
Yes, one can create nightmarish “New 1984″ scenarios but then again you are much more likely to get something useful out of it. My conclusion on this: overoveroverblown concerns. It reminds me of the recent blooper by some guy who said “blogs are the evil guys’ tool”'
On the other hand, if "Privacy Intl is bought by Microsoft" is indeed the official position of Google, than I guess we are all screwed, since saying stuff like this without any proof sounds pretty freaking evil ...
Still, I somehow believe (and I am willing to admit that I was somehow brainwashed into doing this), that stuff like this is more "real Google." (a quote: 'should the German federal government failed to drop its controversial draft bill on the monitoring of telecommunications and Internet traffic Google has threatened to shut down its e-mail service Google Mail in Germany. [...] These plans were "a severe blow to privacy," Peter Fleischer, the man globally in charge of protecting Google user data')
Overall, my take on this is "we'll see" - I have a sneaking suspicion that privacy will be redefined in the coming years and what was once private will be freely shared. And this is how this conundrum will be solved ...
UPDATE: and after stuff like this people still think Google sux at privacy. Maybe Privacy Intl is indeed bought by MS folks.... (a quote: "Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.")
First, I actually learned about it from ha.ckers.org (see this thread), where the author takes a pretty extreme (IMHO) view, siding with Privacy Intl. '
I commented thus: 'This looks to me like an opportunity to SCREAM: “You have no privacy, GET OVER IT.” So they collect and analyze data on us - great. So?
Yes, one can create nightmarish “New 1984″ scenarios but then again you are much more likely to get something useful out of it. My conclusion on this: overoveroverblown concerns. It reminds me of the recent blooper by some guy who said “blogs are the evil guys’ tool”'On the other hand, if "Privacy Intl is bought by Microsoft" is indeed the official position of Google, than I guess we are all screwed, since saying stuff like this without any proof sounds pretty freaking evil ...
Still, I somehow believe (and I am willing to admit that I was somehow brainwashed into doing this), that stuff like this is more "real Google." (a quote: 'should the German federal government failed to drop its controversial draft bill on the monitoring of telecommunications and Internet traffic Google has threatened to shut down its e-mail service Google Mail in Germany. [...] These plans were "a severe blow to privacy," Peter Fleischer, the man globally in charge of protecting Google user data')
Overall, my take on this is "we'll see" - I have a sneaking suspicion that privacy will be redefined in the coming years and what was once private will be freely shared. And this is how this conundrum will be solved ...
UPDATE: and after stuff like this people still think Google sux at privacy. Maybe Privacy Intl is indeed bought by MS folks.... (a quote: "Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.")
Wednesday, June 06, 2007
New Face of Privacy
In her ever-insightful post called "Raunchy old photos will be part of the revolution ", Penelope Trunk says: "The whole idea of our lives being available for public display is actually pretty cool. Think about it. If the world already knows what we do in our spare time and we are all able to be completely open about our interests, thoughts and ideas without fear of retribution or not being hired then we can bring our whole being to work everyday."
While some privacy fans will scream in horror, I think this is the new face of privacy for the times to come. As I mentioned before, I think hiding is overrated :-)
While some privacy fans will scream in horror, I think this is the new face of privacy for the times to come. As I mentioned before, I think hiding is overrated :-)
Thursday, February 15, 2007
Yet Again, On ISP Log Data Retention
Can somebody once again explain: why some say that "retention of records by Internet Service Providers" will "stifle online communication?" The quoted proposed law is H.R. 837 aka SAFETY Act.
Seriously, people, will you communicate less if you know your ISP logs all connections? May I also remind you of this blurb.
Seriously, people, will you communicate less if you know your ISP logs all connections? May I also remind you of this blurb.
Thursday, November 30, 2006
Somehow, This Caught My Attention :-)
A very fun read: "A Hard Lesson in Privacy" that somehow caught my interest. I wonder why... need to psychoanalyze ;-) It all starts from "
My brother-in-law just bought a used Intel 20" iMac. The seller was a nice looking blonde, who didn't wipe the disk."
Friday, September 22, 2006
Access or Access+Audit?
Now, this is one of'em philosophical posts. After all, I do have to justify the "Ph" in my Ph.D., right? :-) At the same time, this post will have an unmistakable stench of a rant :-) for some of my readers.
Recently, I was involved in some fun discussions on storage security. And, in most cases, you store "stuff" to let others access it, not just for archival or - gasp!- compliance purposes. One of the storage vendors I talked to recently mentioned that every year they've been in business (since early 90s), they have to add one or more audit features to their information access solution to increase the level of details, performance of their audit logging or whatever other audit related feature.
My response was: "What? You didn't build them from the very beginning?" And then I thought: why provide access without audit logging?
No, really, why have it?! Disks are cheap, bandwidth is affordable, CPUs are powerful: why provide access to any information without having an ability (at least) to log each and every successful and failed access?
Before some of you label me "a privacy Nazi", I have to disclose that I am somewhat of a fan of Scott McNealy's saying "You have no privacy. Get over it." Having access audit info is useful in so many cases, that not doing it becomes inexcusable and, frankly, stupid. Some of the many uses for such information are:
- Operational troubleshooting: knowing who failed to access the info and why
- Policy audit: who accessed what, with or without authorization?
- Regulatory compliance: legal requirement to have audit data is there to stay
- Incident response: what info got stolen and by whom?
- Information access trending and performance optimization: are we providing quick and reliable access to information?
So, what about privacy? Privacy is defined (in Wikipedia, where else) as "ability of an individual or group to keep their lives and personal affairs out of public view, or to control the flow of information about themselves." We see two completely different things here: keeping the info out of public view and controlling the info about you. The former is clearly reasonable and possible. How about the second? To be honest, it sounds like a sheer idiocy to me, because you do not control it and never did. You've got to a) become invisible and b) stay home all the time :-) for a fair shot - albeit not a certainty! - at controlling the info about yourself. I can still talk about you - and thus control the information flow about you - by saying "ah, that invisible guy that stays home all the time!" :-)
So, what is the connection between the above definition and my call for "no access without logging"? Logging is NOT a privacy risk; inappropriate use for collected data is. Before you object by invoking the infamous "guns don't kill people; gaping holes in vital organs do" :-) I have to say that the above privacy definition is about access to information about people, not about the existence of said information. And, yes, Virginia, there IS a difference!
Similarly, nowadays many folks are appalled when they see stuff like this ("Fresh calls for ISP data retention laws. US attorney general cranks up the volume."), but it actually - gasp! - seems reasonable to me, in light of the above. Admittedly, if your bandwidth is so huge that you cannot log and retain, you might be able avoid logging or at least avoid long term log retention, but that is a different story altogether.
Another thing that is tied to this is the whole "privacy vs security" debate which never made quite sense to me - until now. This is indeed the area where those who want to have logs for security and other uses will clash with those who don't trust controls on the collected log data and would prefer for such data to never get created in the first place. But that would be a subject of a follow-up post later....
So, have doing security and especially log analysis for whatever number of years gone to my head? Or am I onto a critical trend here? Comment away!!!
Subscribe to:
Comments (Atom)
Dr Anton Chuvakin
