New post up at Web Insecurity but since it's short, you get the whole thing here:

Now, I haven't verified this at all, but here's an interesting link for you: Ankit Fadia / Manu Zacharia - "Network Intrusion Alert" Heavily Plagiarized.

An extremely detailed analysis has been performed for the first chapter (10 pages) to show the scope and method of plagiarism. Our analysis shows that roughly 90% of the first chapter, including the six graphics used, has been taken from other sources. Due to time constraints, notes are used for brevity for the rest of the material.

Given my experiences with plagiarism among my undergraduate students and the recent Cooks Source plagarism story (which attracted quite a lot of attention)... I'm sadly inclined to believe that this entire book may be plagiarized.

What's funny about this story is that the book in contention here is titled "Network Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection." Emphasis mine.

Short post up on Web Insecurity about a hilariously, brutally honest privacy policy. An excerpt from the policy:

So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.

You can read the whole policy here or you can read my summary and commentary on Web Insecurity.

Starbucks' Christmas Bokeh
by pierofix.

Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.

He was appalled that people, even when warned, would ignore a security flaw, but it's actually well known that people reject advice. The interesting part of the story comes with Cormac Herley's paper "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" -- it turns out that it makes perfect sense that people refuse to do security things, and fixing the flaws that firesheep draws attention to is just another example of where security advice just isn't worth following.

You can read the full version of this post on Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?

Tuesday's post on Geek Feminism entitled : "Quick Hit: Men, Medicine, and Meritocracy vs Affirmative Action" has some interesting discussion going on in the comments. The article is about how med schools in Canada are seeing more female applicants than male ones (and are accepting a lot of women) and some of the "stealth" affirmative action that's been taken to keep medicine from getting very disbalanced.

Wednesday's post on Web Insecurity is about firesheep. Nothing too insightful, just lauding the cleverness of it in a social hacking sense, and thinking, "why didn't we ever bother to build this in university?" (We did similar hacks for fun and education of our peers.)

Wednesday's CU-WISE blog post is on the subject of Dot Diva: The Webisode. (You can also see an extended version of the dot diva post on Geek Feminism.) We see a lot of outreach aimed at teaching girls computer science, but this is a project that tries to tackle the image of computer science. Their inspirations included the changed attitudes towards forensics thanks to shows like CSI. I'm torn because I found parts of the webisode awkward, but others fun, and I really think they've got some good brains and ideas behind this project.

Thursday's Web Insecurity post Why 12 year olds may be our best bug hunters is about this cool 12 year old boy named Alex Miller who collected on one of the Mozilla bug bounties. I always find adult reactions to smart kids can be a bit strange and sometimes condescending, so this is me musing on how the 12 year olds I've worked with are actually pretty awesome.

In non-blogging news, I'm working on some stuff about web standards vs attacks and vulnerabilities that I'll probably be posting privately soon for comments and ideas before I start putting together more comprehensive ideas for the IETF websec group. Their current discussion on dnssec irks me because it seems... mildly irrelevant to some of the real problems I assumed the group was destined to solve. I'm biased on the subject of DNSSec (see The Futility of DNSSec), but surely websec should be talking about more broad initiatives?

Crossposted from Web Insecurity. Please comment there if you want to comment!

I think twitter may have among the simplest privacy settings of any social network. Your choices are either everything you post is public, or everything you post is private.

But simple does not mean that things will stay private. Just like everything on the internet, the minute you post something someone else might choose to share it. Some researchers have actually studied how often people retweet private content on Twitter.

Something I haven't seen studied, however, is how private information can leak out through twitter lists.

Twitter allows you to make lists of people who you'd like to have grouped together. For example, I have a list of technical women who I follow. These are women in technology who I've met in person or interacted with extensively online, and I really made it for my own personal use but since it's a public list others can (and do) follow it. Presumably they're looking for more cool women to expand their social networks.

Twitter allows you to see what lists a person has been added to, and this is where it gets interesting. Let's take a look at the lists of which I am a member and see what we can learn about me.

Here's a few things you can get a glance:

• I have a lot of real-life friends on twitter (and now you know many of them are)


• I'm a musician


• I work in security, technology and on open source software


• I'm speaking at an upcoming conference and have attended a variety of events


• My friend Leigh is stalking me ;)


• I live in Ottawa

Wait... what? Despite the fact that I explicitly chose to say a more generic "Canada" in my profile information, my current city can be determined by the fact that it shows up in several of the lists I'm on. There's of course no way to be sure that any of this is true, but when more than one person lists me as being in Ottawa it seems fairly reasonable to guess.

I'm not personally concerned (obviously, since I'm talking about all this information in a public blog post!) but some folk are much more private than I am.

So what are your options if you want to hide this information? Well, if I don't like the lists I'm on, I can... uh... There's no apparent way to leave a twitter list. I suspect one could block the list curator, but the people revealing your location are most likely to be actual real life friends: people you wouldn't want to block. So you'd have to resort to asking nicely, but that's assuming you even notice: while you can get notifications of new followers, you do not get notified when you're added to a list. I've been asked about exactly two of the lists I've been put on (thanks @ghc!) so obviously it's not the social norm to ask (I certainly have never asked anyone I've listed!)

A quick check says I can usually get the current (and sometimes some former) cities for many of my friends, as well as information related to their occupations, interests, and events they've attended. For most of these people, I know this isn't information they consider private either. But it's obviously possible that this could be a problem... I wonder how many people it affects in a negative way?

Maybe this is a potential little workshop paper if I have time to analyse a whole bunch of twitter lists. Anyone want to lend me a student who's interested in social media privacy?

Edit: A note for those concerned about not being that privacy-violating friend. You can make twitter lists private if you want (it's just not the default), so just do that for the lists you think are sensitive and you're good to go!

This is a cross-post from my web security blog.

I'm happy to see that Gizmodo is already recommending that people disable Facebook Places in as much as you really can. And the article has a nice step-by-step on how to limit the amount your friends can (accidentally or intentionally) violate your privacy.

But I take issue with the fact that their examples were "you're lying to your girlfriend" and "you're cheating on your wife." Seriously? I know they were trying to be funny, but the implication you get from the article is that privacy should only matter in this way if you've got something to hide. But that's not the case:

What about a parent who doesn't want to advertise to strangers the exact geo-location of the parks his kids play in every day?

What about a woman who has received threats from unpleasant people who feel that women should not be involved in open source software?  (I wish I were kidding, but this happened to me, and other people receive threats from disturbed individuals online.)

What about someone shopping for an engagement ring who meets a friend at the mall?

There's plenty of reasons one might prefer privacy. I think maybe we would do well to include this sort of example in articles, so that even those living utterly honest lives will realize that privacy is important to them and people they care about.

I put up a big post at Web Insecurity detailing my presentation at W2SP yesterday.

No Website Left Behind: Are We Making Web Security Only For The Elite?

Here's some choice slides, but you should really check out the whole presentation, or read the paper! (It's only 4 pages long and should be pretty readable even for non-academics.)

Here's 9 slides to give you an idea (in theory this should be a nice square display, but if you're not viewing this post on dreamwidth it might not be.)

Wrote this post for Web Insecurity on the weekend and scheduled it for Monday... But on Monday I was busy drinking water and getting ready to donate blood, so I never posted something here. Oops.

The advertising social contract vs malvertisements: how can online advertisers earn your eyes?

It's mostly musing about how ad blocking actually makes you safer while web browsing, and whether advertisers will wind up rising to this challenge by giving us ads that are worth unblocking or ads that go beyond banners. I gave up my TV years ago, and I still have people telling me about great TV advertisements I missed. Very few people tell me about banner ads I missed. And I think the last time was those Evony ads which is an entirely different category of "you've got to see this!"

In other web security related news, or perhaps Terri-in-web-security related news, I found out last night that my W2SP talk has to be 5-10 minutes long rather than the 15-20 I expected. This presents a challenge, but I can rise to it. Just not in time to do a practice run at 3pm today as I'd planned. I actually have under 10 minute slides from my presentation the week before last, but I skipped some stuff in that talk that I need to put in to the final one, so we'll see how that goes.

Anyhow, if you're curious here's the W2SP schedule -- Apparently there's still space in the workshop if you're in the bay area and interested in attending a web security workshop next week.

New post to Web Insecurity:

How Foursquare can help people steal your stuff. PS - Want to buy some privacy insurance?

I talk a bit about the totally awesome PleaseRobMe.com and meditate a little on what it would take for people to care about privacy in a way that would keep them safe. Conclusion? They never will, so if I really want to make money I should be selling privacy insurance. If only I could figure out how to make that work... Can't you just imagine a team of lawyers descending upon your mother to do damage control when your friends' drunken antics get leaked through Facebook?

Another post to Web Insecurity. This one is pretty much explained by the title:

Amex thinks shorter passwords without special characters are more secure

I was working on a background section of my thesis proposal and was talking about how some misconceptions regarding security policies can result in web sites being a lot less secure. But [American Express] takes security misconceptions to a new low...

(Read the rest. And weep. Or laugh. It's pretty terrible.)