App privacy issues for smartphones

Ooh boy.

For those of you who freak out about Facebook apps and their privacy problems, will you stop using apps on smart phones as well?  Not that I could blame you.   It’s a thorny issue, balancing profitability and privacy…

We all decide what level of privacy invasion we’re willing to accept – in the form of which country we choose to inhabit, how we do or do not use social networking, how we interact with retail establishments, how we interact with government agencies and banks, how we interact with strangers and acquaintances, even how we interact with friends and family.  But more and more, the decision is being made after our privacy’s already been breached without our knowledge.

This is the part that bums me out more than anything.  It’s the de facto standard now for some third party to discover the breach.  And the outcry is so small that little changes.

Do you think this will change in the future?  If so, how?  Will it involve government regulation such as has been recently been suggested?

Let’s go play in the sandbox!

Today’s news brings a couple articles discussing big-name companies who’ve decided to use sandboxes to make a more secure computing experience. This isn’t a new technique, it’s been one which has been used with varying degrees of success by a number of different companies.  I find it most meaningful in that more companies are changing their architecture to try to be more secure, rather than just relying on patches or 3rd party companies to create plug-ins to do the job.  I’m sure this won’t obviate the need for either, but …I digress.

I particularly liked this quote from Brad Arkin, Adobe’s senior director of product security and privacy:

“We’ve done everything we can to build the walls of that sandbox as tall as possible,” Arkin said. “We’re not sure how the offensive community will react. They may move on to a different product and attack QuickTime instead, or they may look at other applications that are easier to attack. Or they may find clever ways to carry out some type of malicious activity against Reader which are quite different than the attack techniques that they use today.”

It’s decidedly not warm and fuzzy, but it tells me they have decently realistic expectations.  Malware authors aren’t going to be stopped by this change; they may focus in the short-term on other products but they may just find new ways in.

Defining terms

I was mildly impressed with this LifeHacker article which defined malware terms.  The descriptions are reasonably accurate.  I didn’t start shouting at my laptop about how horribly misguided its authors were, which is usually what I deem to be a good article in the mainstream-ish press.  Considering how frequently even malware experts disagree, it seems a reasonable benchmark.

I’d like to amend and clarify a couple of points, after reading the comments.  I’m sure this will cause a couple people to shout at their computer due to my oversimplification, but I’m not trying to address every last corner-case.

Malware can be broken down into two basic categories, viruses and trojans.
Malware itself simply means “code created with malicious intent”.

Viruses are self-replicating code.  That means code which copies itself.
Trojans are malicious code which is not what it purports to be.
Worms are viruses which copy themselves over networks (email, IM, web, whatever)

There are viruses and trojans for every major operating system, and for most minor ones.
There is more malware written for Windows machines, this does not mean other OSes are immune or not-targeted.

Most drive-by-downloads and “browser hijacks” are trojans.  Most rootkits are trojans.  Same with scareware, spyware, ransomware and backdoors.

Adware is not strictly speaking malware but a “security concern” or Potentially Unwanted Program as its presence/functions are often poorly documented and many system administrators consider its presence on their network undesirable.

Most malware these days is not intentionally data-destructive.  That’s not to say it isn’t unintentionally data-destructive.  Regular incremental backups are a good safety precaution – malware these days tends to wriggle its way so deeply into systems that many people recommend to just nuke and pave a compromised machine.

Does this clear things up?

Mobile model makes malware moot?

I gotta say, upon reading the headline for this article I laughed for a good minute or so.  Yeah sure, buddy.  End of malware.  I’ll hold my breath.

Imagine my surprise when it turned out to be a well-balanced and considered view of the future of the malware environment!  And in a main-stream-ish magazine, no less!

It does leave me feeling somewhat optimistic, that perhaps the security industry’s collective wailing and gnashing of teeth have had some impact on hardware and software designers thought processes.  Wouldn’t that be nifty!

I don’t expect, and I don’t think the author expects, that malware will truly come to an end.  What I do think is that malware will begin to be much more difficult for bad-actors to create, and perhaps the profitability for them will decrease if there should be such a time that we move away from the existing/legacy software models (and, of course, assuming we don’t give them a hot new platform).  I certainly won’t happen today, and certainly not tomorrow, but maybe 15 years down the line?

Of course, that says nothing about a decline in the future of phishing, so I’m sure there will still be a security industry even if that comes to pass… 🙂

A social balancing act

I’ve been musing on the nature of social networking sites again… no big surprise, nary a week goes by for me where the delicate balancing act of this new paradigm doesn’t come into my conversations.  This time it was a conversation with a friend who actually makes his living in the social networking space.  We were both early adopters of Web 2.0 and continue to be pretty enthusiastic about its possibilities.  In fact, we probably would not have met had it not been for one such site.

That being said, both of us are pretty privacy conscious.  We’ve been conscious from the outset that “the Internet is forever” and that content has a way of wandering outside its origin.  That picture you post today is now pretty well out of your control, and unlikely to stay where you put it – people can easily copy it and post it elsewhere, no matter the protection in place.

Some of our mutual friends have had to deal with the reality of their web-presence, moving from college to the “real world”.  Yes, that info you posted when you were a young’un can come to bite you in the hindquarters when it comes time to move your life into the professional realm.  If it’s not something you would want to have to explain to your grandma, just don’t post it, m’kay?

I also recently overheard a girl who had worked for the Peace Corps talking about how officials in D.C. had contacted her about information she’d posted on her (then public) blog which they found objectionable.  She was quite shocked that anyone outside her meat-space social circle would be reading her blog.  When she was told by the officials what could be done with the information she was sharing, the girl was absolutely dumbstruck.  It’s tempting to think we’re alone in this vast web-o-sphere, but it’s not analogous to the analog world – India is equally as close as Indiana.

There seems to me to be a few basic issues:

  1. The pace of change has way outpaced our ability to properly appreciate their consequences.
  2. There has not been a culture of sites offering transparency, but of pushing boundaries until people start screaming.
  3. Users have had a “head in the sand” attitude about all things technology:  Until it’s been proven that something is harmful, they’ll use it blindly.

It strikes me that the best thing for the future of social networking is to adopt a “User Bill of Rights” like the one outlined by this San Francisco Chronicle article.

1. Honesty: Tell the truth. Don’t make our information public against our will and call it “giving users more control.” Call things what they are.

2. Accountability: Keep your word. Honor the deals you make and the expectations they create. If a network asks users to log in, users expect that it’s private. Don’t get us to populate your network based on one expectation of privacy, and then change the rules once we’ve connected with 600 friends.

3. Control: Let us decide what to do with our data. Get our permission before you make any changes that make our information less private. We should not have data cross-transmitted to other services without our knowledge. We should always be asked to opt in before a change, rather than being told we have the right to opt out after a change is unilaterally imposed.

4. Transparency: We deserve to know what information is being disclosed and to whom. When there has been a glitch or a leak that involves our information, make sure we know about it.

5. Freedom of movement: If we want to leave your network, let us. If we want to take our data with us, let us do that, too. This will encourage competition through innovation and service, instead of hostage-taking. If we want to delete our data, let us. It’s our data.

6. Simple settings: If we want to change something, let us. Use intuitive, standard language. Put settings in logical places. Give us a “maximize privacy settings” button, a and a “delete my account” button.

7. Be treated as a community, not a data set: We join communities because we like them, not “like” them. Advertise to your community if you want. But don’t sell our data out from under us.