We are all so busy applauding facebook for adding an “always use HTTPS” setting (thanks for finally responding to firesheep, folks), but maybe we should look a little more closely at it before telling the moms of the world to just set it and forget it. The stupid thing turns itself off (and doesn’t turn itself back on) when you go to a non-HTTPS facebook page.
In case you haven’t seen it described on 50,000 websites at this point, here’s the deal with the new “feature:”
Click on “Account” at the upper right of your facebook page and choose “Account Settings” … you’ll get something like this:
Click on “Account Security” and you’ll be able to check the new https box, illustrated here:
note that it says “whenever possible” … this implies that there are some parts of the facebook site that are NOT capable of being served up via https. I have no idea why this is still the case, but it clearly is. The wording would also imply that once you check this box, you will get a https connection “whenever possible” and a http connection when https is not possible. What it DOESN’T say is that the first time you view a non-https page, the box will simply uncheck itself and next time you go to a https-capable page, it’ll be back in vanilla http mode.
So what are these non-https-capable pages? I can’t speak for all of them, but I’d be willing to bet that most of them are “facebook applications.” The only facebook app I use is Scrabble. After checking the https box, I tried to go to Scrabble and I got this page first:
Excellent, right? It is warning me that I’m leaving the safe-and-cozy https-zone. What this warning SHOULD say is “if you hit ‘continue,’ you are permanently turning off the https option.”
Yes, that’s right, once I’m done playing my turn in the http-only-danger-zone of the Scrabble application, I go back to facebook home and I’m back to http.
I went back to check my account settings and I see this:
Well, that’s just fantastic. What’s the point of saying “whenever possible” when it means “until impossible?” This has to be a mistake, and I hope they fix it… then we can all tell our moms to go and re-check the box as it has probably been turned off when they went to play farmville or whatever the hell other pages are non-https.
This was discussed on Tech News Today (first 5 minutes)
I’ve had a lot of thoughts lately on the TSA’s new practices for protecting us from terrorist shenanigans during air travel. My privacy-minded friends and I pass links back and forth each day with horror stories from people who have felt violated by the TSA. All of this came to a head today when Jeff Jarvis said this on twitter this morning:
I may stand alone, but I’d rather be groped than blown up in an airplane with a murderer who had not been groped.
This is clearly an oversimplification of the argument (it isn’t an “A or B” situation…a lot of people on twitter were shouting “False Dichotomy!!”) and is beneath Jeff, in my opinion. For those who don’t know Jeff, you can find info about him here http://www.buzzmachine.com/about-me/
Generally speaking, I’m a big fan of his work and of his opinions. Just about every time I hear him speak or read his blog, I feel like he “gets it.” Not so much today, though. Jeff kept spouting fallacious arguments in favor of the TSA’s policies and many people responded unfavorably to what he was saying (Jeff has about 55,000 followers, FYI). I think he’d agree that most of his twitter feedback was negative. I jumped in and sent a few replies but I was frustrated, as usual, by the 140 character limit. Jeff replied to a few of my tweets in a very civil manner, as one would expect, except for the fact that he called me a drama queen. Oh, and he joked that people who are against the TSA procedures must have small penises. Once again, this is beneath you, Jeff.
I won’t recap the entire conversation here (you can see it on twitter if you want to), but Jeff agreed to read my argument if I were to post it in blog form… so here we are. I’ll try to keep this as brief as possible, Jeff, I know you’re a busy guy.
“Enhanced” Security Screenings Are Merely Security Theater And Will Not Keep Us Safe
To many people, this is not news. Many years ago (pre-9/11), George Carlin put it brilliantly when he spoke of the illusion of safety. More recently, Bruce Schneier coined the term “Security Theater.” I don’t know why I’m even writing this post since so many others have already made the point so much better than I ever could, such as Noah Shachtman in this piece from the WSJ….but I’ll do it anyway because I have some bits I’d like to add.
Fallacy #1: If we had these measures 10 years ago, it would have prevented 9/11
The only thing preventing 9/11 from happening again is 9/11 itself. Today’s terrorists know they can’t pull off another 9/11-style hijack-then-crash-into-specific-targets attack again because the passengers won’t stand for it. On September 10th, 2001, we were all told that we should comply and be quiet if we are on a hijacked plane. The September 11th attacks depended upon that and, for the most part, it worked. Evidence has shown that this is no longer the case. Passengers that get goofy on a flight get a first-class ass kicking courtesy of their fellow passengers.
So if we had today’s security and September 10th’s mindset, could they have pulled it off? Of course they could have. They possibly wouldn’t have their boxcutters but there are plenty of other ways to intimidate Sept 10th-mindset passengers with equipment you can still get on a plane. Don’t make me list specifics, I don’t want to get a visit from the FBI. Use your imagination… that’s what the terrorists do. Even using something as simple (and previously thought of as harmless) as boxcutters was fairly inventive on their part. They made use of something they were pretty sure they could get through security. When all you have to do is sit around, day after day, thinking of ways to beat a system, you will find a way. As long as the TSA procedures are made public and the limitations are detailed, which has to be the case, the enemy will think of a method to abuse those limitations. Remember, we cannot project our perception of what is acceptable behavior onto them: they will use children or other extreme measures that will make us sick to our very cores if it will help them accomplish their goals.
Fallacy #2: Today’s security would have caught the underwear bomber.
This one comes straight from one of Jeff’s tweets. While this is essentially true, it misses the point entirely. We started taking our shoes off because of the “shoe bomber” and now we get groped because of the “underwear bomber.” Do you see the pattern? There was never another shoe bomber, there will probably never be another underwear bomber (I’d also like to point out that neither of these dingbats boarded a plane in the US…they both went through European security). Both of them sat around their (no doubt) smelly apartments for weeks formulating a plan based on the limitations of the security through which they would have to pass. I really really hate to say it, but there are probably more dingbats sitting in smelly apartments thinking about the same stuff right now.
We keep reacting to previous threats and the bad guys keep evolving. That is the very crux of security theater: make it look like we’re “doing something about the problem.” Would there have been another underwear bomber if we hadn’t started the new procedures? Possibly, but he probably would have been just as successful as the first one. My understanding of the underwear bomber is that he was a nervous mess. He would have been denied access to a plane in Israel simply from one of their well-trained security people talking to him. They probably would have snagged the shoe bomber, too.
Fallacy #3: The logical conclusion is that we’ll all end up flying naked. THEN we’ll be safe for sure.
This may not come as a surprise, but the goal of a terrorist attack is not “blow up planes” or “hijack planes” … it is to kill or injure a very large group of people. Airlines were, for a long time, an ideal target for this kind of action. Some planes carry over 200 people and none of them can get away from the bad guys. Security was really lousy up until the hijack-happy 80’s when people suddenly became afraid to fly. Security was beefed up and hijackings went way down (especially on flights coming out of the US). As a result of this heightened security, pulling off the September 11th attacks took a great deal of planning, organization, and luck.
After September 11th, airlines in the US ceased to be a viable target for serious terrorists. I say “serious” terrorists because the terrorists who have tried to walk through security since then are crackpots and utter failures. The combination of heightened security efforts (pre-gropefest) and passengers who will not be cowed into compliance makes the chances of success drop lower and lower. I’m not saying that there will never be another airplane-based terror attack, I’m just saying the chances are extremely slim at this point. The bombs-disguised-as-toner recently showed that airplanes can still work for terrorists on SOME level but it also shows that they are not willing to try their luck with security checkpoints any more.
If you look at it from the viewpoint of a terrorist who hates America (I know it makes you feel dirty, but you have to understand the enemy if you ever wish to defeat them), I’ll bet you can think of a LOT better targets than airplanes for accomplishing your goals. Once again, I’m not going to name specifics, but I’ve only thought about this for a few minutes and I can think of a few horrific ideas. Now imagine that you are a terrorist and this is ALL you think about.
I’m not saying all this so that you live your life in fear. We simply can’t allow that to happen. The truth is you have a much better chance of being struck by lightning than being injured in a terrorist attack. This doesn’t mean we should not be diligent, but there are limits to what is APPROPRIATE diligence. I feel strongly that the new TSA procedures cross that line. There are better ways to accomplish the overall goal and it is the job of the TSA to find these methods. Replace security theater with actual security.
I don’t know who said it first this morning, but somebody on twitter brought up the following Ben Franklin quote:
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety
Couldn’t be more apt.
Some other reading you might be interested in:
Bruce Schneier talking specifically about new TSA procedures
Bruce Schneier – Beyond Security
Jason Alexander’s take on the situation
TSA confiscates heavily-armed soldiers’ nail-clippers
Former FBI Agent shares his feelings about the TSA
Following up on our story from last week, we looked more closely at applications which used SSL to encrypt communications between iPhones and remote servers in order to determine if they were transmitting iPhones’ unique identifiers.
We performed SSL MITM attacks against several of these applications to obtain the messages in the clear.
While this study is not yet complete, so far the findings show that many of these applications are using SSL to transmit UDIDs to a remote host. For example, the “Mirror Free” application (http://itunes.apple.com/us/app/id379516970?mt=8) which emulates a mirror using the iPhone’s front-facing camera was decrypted and shown to be transmitting UDIDs to a remote host. Here is the plaintext of a portion of the SSL conversation; the UDID of the test phone is the string beginning with “b3d1bad” and ending with “d46b”.
00 01 00 05 65 6e 5f 55 53 00 00 00 0b 34 2e 30 en_US 4.0 2e 31 2e 38 41 33 30 36 00 00 00 01 00 00 00 98 .1.8A306 0a 28 62 33 64 31 00 00 00 00 00 00 00 00 00 00 (b3d1badxxxxxxx 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 xxxxxxxxxxxxxxxx 00 00 00 00 00 00 64 34 36 62 12 13 63 6f 6d 2e xxxxxxd46b com. 61 70 70 63 75 62 62 79 2e 6d 69 72 72 6f 72 1d appcubby.mirror 00 00 00 00 32 09 69 50 68 6f 6e 65 33 2c 31 3a 2 iPhone3,1: 03 34 31 30 42 03 33 31 30 48 04 52 14 5d c8 f9 410B 310H R ] 23 42 65 ac e5 96 c2 6d 00 00 80 c0 7d 00 40 97 #Be m } @ 47 58 c0 02 60 e0 03 68 90 01 70 02 7a 03 34 31 GX ` h p z 41 30 82 01 03 33 31 30 88 01 00 92 01 03 35 37 30 0 310 570 b2 01 05 65 6e 5f 55 53 00 00 00 0b 00 00 00 09 en_US 0a 05 08 c0 02 10 32 10 01 00 00 00 0c 00 00 00 2 00 00 00 00 0c 00 00 00 00 00 00 00 0c 00 00 00
We studied the following applications from our paper and confirmed they are transmitting UDIDs via SSL:
- Bed Intruder Soundboard
- Color Fill
- Galaxy on Fire
- I Bomber 2
- Mirror Free
- Mr. Runner
- Pimple Popper
In most of the cases where SSL was used, communication terminated on the qwapi.com network. The SSL certificate used on the servers on this domain indicate the name of the company is Quattro Wireless.
Quattro Wireless was acquired by Apple and is responsible for serving advertisements through the iAd system. Quattro Wireless’s website went down after the acquisition, but the Wayback Machine cached the content. In 2008 they boasted the following capabilities:
Quattro works with our agency partners to devise media plans to leverage our engaged audience based on partner goals and key targeting ideals: contextual, demographic information when available for both on and off deck sources, registration data, behavioral profiling and clustering. Targeting is available throughout the Quattro Network based on:
Channel, country, carrier, handset, time of day, Geo, demographic and mobile behavior across the Network
Standard Web advertising capabilities such as Frequency Capping, Pacing and Smoothing are available on a per campaign basis.
iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)
In 1999, Intel released its newest CPU — the Pentium 3. Each processor included a unique serial number, visible to any software installed on the system. A product backlash quickly developed as privacy rights groups realized that this serial number could be used to track usersâ€™ online behavior. The industry, along with trade groups and governments, blasted this new feature; many governments went as far as proposing legislation to ban the use of Pentium 3 CPUs. Following the outcry, Intel quickly removed the serial number feature from their processor line, never to be re-introduced.
Fast forward a decade to the introduction of Appleâ€™s iPhone platform. Much like the Pentium 3, devices running the Apple iPhone operating system (IOS), including Apple iPhones, iPads, and iPod Touches, feature a software-readable serial number â€“ a â€œUnique Device Identifier,â€ or UDID. In order to determine if the privacy fears surrounding the Pentium 3 have manifested themselves on the iPhone platform, we studied a number of iPhone apps from the â€œMost Popularâ€ and â€œTop Freeâ€ categories in Appleâ€™s App Store. For these applications, we collected and analyzed the data being transmitted between installed applications and remote servers using several open source tools. We found that 68% of these applications were transmitting UDIDs to servers under the application vendorâ€™s control each time the application is launched. Furthermore, 18% of the applications tested encrypted their communications such that it was not clear what type of data was being shared. A scant 14% of the tested applications appear to be clean. We also confirmed that some applications are able to link the UDID to a real-world identity.
The iPhoneâ€™s UDID is eerily similar to the Pentium 3â€™s Processor Serial Number (PSN). While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID. As UDIDs can be readily linked to personally-identifiable information, the â€œBig Brotherâ€ concerns from the Pentium 3 era should be a concern for todayâ€™s iPhone users as well.
The full report is available here: iPhone-Applications-Privacy-Issues.pdf.
Update: iPhone Privacy: What about the SSL Apps? (10/5/2010)
So I just saw a tweet from CrackBerry.com announcing Best Buy’s new mIQ sync service for smartphones. Simply put, the service will sync your contacts, text messages, call history, calendar, photos and videos to their servers. If you were to lose your phone, get a new phone, or simply want to get to your phone’s data from the web via a computer, this service will allow you to do so. For free. No strings attached, I’m sure.
Come on, people…
Oh, by the way… word is that this software will come pre-installed on supported smartphones purchased from Best Buy.