Facebook’s Fall from Grace

Following the attack at a mosque in Christchurch in which 50 people were murdered, New Zealand’s Prime Minister Jacinda Ardern called on Facebook to do better;

“They are the publisher, not just the postman. It cannot be a case of all profit, no responsibility.”

She has a point, during the shooting in Christchurch the shooter live streamed his rampage through two mosques. I have seen a couple of screen grabs from the video and the images look like a very graphic shooter game. We now know that the first man to see him at the first mosque greeted him with the words “Welcome, Brother” and presumably this greeting was recorded on the live stream. It’s now illegal to publish the video stream in New Zealand, and the article where I saw these images has been taken down. To give Facebook credit once the New Zealand police alerted them I understand their Global Escalations Teams worked to remove instances of the live stream from their platform. But technically, under US law, they cannot be held responsible in court.

The video may still be out there, I’m not interested in seeing it but when researching for this article I found an interesting autocomplete in a google search, and it seems the effort to remove the video was not perfect.

In the Easter shootings across Sri Lanka which had a significantly higher death toll, their government worked quickly to block social media, and continue to circumscribe citizens’ use of social media. It’s not the first time the Sri Lankan government have blocked social media due to concerns about the spread of extremism via social media sadly.

How is this possible?

Social media platforms have benefited from a piece of US law, section 230 of the US Communications Decency Act which says;

“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider”

It’s an important part of maintaining free speech on the internet and it means I’m not liable for comments someone leaves on this blog, and nor is WordPress. The EFF explains in more detail.

More scandal

This isn’t the only issue Facebook has been faced with, last year they admitted to a security breach that may have affected 90 million accounts.

There are also growing concerns about health impacts as research piles up about the harmful impact of social media, particularly on children. There’s also evidence that anti-vaccination activists are targeting ads to people likely to be wavering on the vaccination question, and the number of Measles outbreaks keeps growing.

More famously their algorithms have undermined democracy in at least two countries. This is via the link to Cambridge Analytica, here’s how that worked as explained by journalist Carole Cadwalladr;

With all this scandal, how is the company doing?

Well. Facebook is doing well.

Revenue continues to grow, user numbers continue to grow. User numbers have apparently levelled off slightly in the US and in Europe, but it’s not clear that this is due to scandals.

Facebook currently makes more than 1.6 million USD per employee, 98% of their revenue is from advertising (2018 annual figures).  Which begs the question of just who the customer is. Remember that they don’t pay for any of the content placed on Facebook – in contrast to, say, a glossy magazine like Vogue which at least provides some content to dilute the advertisements. So we, the users are the content providers and our attention is the commodity sold to advertisers.

Regulation Required

It seems this isn’t a problem that the free market can solve. We’re now living with a platform that is with us 24/7, pulls together a global community of almost half the world’s population, and holds data on our every move – and tends to seek more data rather than less. One way that Facebook has grown is by acquiring Instagram and WhatsApp, and the company is now so rich that it can buy any competitor thus stifling innovation. Governments have seen the impact on their country – in Sri Lanka, in New Zealand with devastating effects – and in their elections. During the campaigning to appeal the 8th amendment in Ireland Facebook banned all ads that were funded from outside Ireland, showing that it is possible to contain the damage of foreign influence. The EU put the GDPR legislation in place, in an attempt to protect citizens against the power that Facebook and other social media companies have accrued, in response Facebook moved millions of accounts from Irish servers to US servers – out of the reach of EU legislation.

The US is also stepping up, with the FTC investigating Facebook’s use of personal data and a hefty 5 billion USD fine looming over the company. Even that might not be enough, there’s a bipartisan call for tougher protections on consumer privacy.

I started writing this post in December, it’s been re-written more than any other post I’ve ever made, but every time I thought I was ready to hit publish something else happened. I nearly delayed again to analyse the information coming out of F8 and more analysis on the appearance of a change in Facebook’s policy on privacy, there’s a pretty good analysis on the Vergecast – they’re not convinced and nor am I.

Image via pixabay

Happy World Password Day

CM2017_05_passwords.png

Happy World Password Day! I know it’s more fun to celebrate May-the-Fourth in other ways, but this is important.

Passwords are how we keep our online accounts secure, and yet the most common passwords are horribly simple to guess. Every year password keeper releases a list of the most common passwords and every year “123456” and “qwerty” are on the list.

Passwords must be both memorable and hard to guess, the conflict between those two needs is the fundamental problem.

Many sites require you to use combinations of uppercase, lower case, numbers, and symbols in the name of making it harder to guess or crack a password.

However the resulting password is not easy to remember, and as humans use common substitutions, it remains vulnerable to cracking by computer.

To make a password hard to break you need to make it longer, use a range of characters, and avoid dictionary words. Something like this.

According to Kapersky labs it would take 33 centuries to crack this password by a single home computer. Most hackers have more computer power so could do it in fewer centuries.

There are two factors making it hard for computers to guess, the randomness of the characters used and the length of the password. As the wonderful XKCD explained we can use the length to make passwords more secure and memorable.

One of the challenges of managing online passwords is that we have so many of them. Often they can be saved on your device or in your browser, but this carries its own risks. If you lose your device or someone cracks your browser password (in the case of chrome) the person gains access to all your accounts. You can use a password manager, there are many on the market and PC Mag evaluated 12 of them.

There’s a lot of advice out there on changing your password, it’s often a mandatory practice on websites and within companies. But it’s usefulness as as security measure is dubious, in fact because people tend to then use a transformation on an old password the system might be less secure.  One company requiring mandatory changes also prevented reuse of password elements for 20 changes. Luckily there are twenty regions of Italy. Of course if there is a password breach on any website you use you must change affected passwords.

To find a good memorable set of words look to poetry, quotes or song lyrics. Using the Kaspersky Labs password check Beyonce’s lyrics fare pretty well although  the words are dictionary based and not particularly random.

Please take time today to celebrate World Password Day by making your passwords more secure

  • choose long secure passwords
  • use different passwords for each site
  • use two factor authentication when sites allow it
  • consider a password manager
  • if you write down your passwords anywhere don’t keep it with the device.

Image: mine, and no, that’s not a real password

Blockchain

CM2016_07_blockchain.png

Blockchain is the technology behind cyrptocurrencies such as Bitcoin, Namecoin and Titcoin. These currencies work as any other currency in terms of spending them, but their creation is a little differently and relies on cryptography,

When I first heard about bitcoin I was working for a financial services company, and the person telling me was gleefully announcing it would be the end of banks. Lots of things have been touted as the end to banks over the years, this was just the latest. I admit I had a bit of a mental block about it, I couldn’t see how value was encapsulated in the bitcoins – which is probably exactly how people felt when paper money started to be issued by national banks.

It’s a little complicated so here’s the best explanation I’ve been able to find on the internet so far.

(Want to know more? Here’s an even more detailed version from the same expert.)

Blockchain is a distributed decentralised ledger recording transactions. At its heart it provides a mechanism to encode the trust on each side of a transaction.

It’s that documenting of trust that has led to further consideration of the blockchain technology starting with central banks themselves. Blockchain solves two problems for established banks and central banks (1) transactions become faster (2) transactions become more secure. Because the transaction is recorded in a distributed manner, and because the transactions form a sequence, it’s extremely difficult to create a fraudulent transaction.

There are other areas where documenting trust is important, The Economist reports on changes coming to the land register in Honduras that will use a form of blockchain. By distributing the land register in a blockchain system the country will finally have a single land register.  IBM is part of a consortium working on a “hyperledger” that will allow private use of an open distributed ledger to track a variety of transaction. They note that a transaction dispute can take 40 days to resolve, but with an open ledger that time should be reduced.

Using Blockchain to verify contracts, sometimes called “smart contracts” could have uses in multiple industries. In this podcast from the BBC’s “Click” programme they explored the idea of using blockchain in the music industry to codify ownership of music, and enable simple payment.

MIT (who else?) have been looking at using blockchain as a certification mechanism on qualifications and memberships. They’ve written on the background and purpose of this project. If you’re a nice honest person who never lies on their LinkedIn profile you might struggle to see why this is important, however there are lots of CV ‘exaggerations’ out there and it is important to be clear about what qualifications, experience and memberships a person holds when they apply for further education, a job, or enter public office.  In the future our CV may come with blockchain codes to verify our statements.

Lastly governments are examining the potential of blockchain. The UK Government released a report on blockchain technology this year in which they state the potential power it has in government business;

Distributed ledger technologies have the potential to help governments to collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services.

In fact Estonia is there already, their digitally-savvy president, Toomas Hendrik, has overseen significant use of blockchain technologies in securing identity and health records within his country and he’s working for a closer integration with outer countries across Europe.  There’s a broad vision Estonia’s digital programme, and the implementation has simplified a great many processes for its citizens.

In the future some form of blockchain technology will be behind how you access government and financial services. It will be more secure, more able to protect your privacy, and less likely to disruption or loss of data.

Image: Chained  |  Danna § curious tangles  |   CC BY-NC-ND 2.0

Security is Like Water

A pipe in my kitchen broke this week, water leaked everywhere, seeping into everything, through the smallest gap. This got me thinking about other types of leaks. I think there’s a reason we talk about information and security leaks; you can do everything you want to contain information but it will pass through the smallest gap.

The reason is that there is a natural tension between the measures needed to make a company secure, and the activities people have to perform in the line of their work. Every attempt to lock down security across an organisation pushes employees to find alternative routes to perform their work.

Ars Technica reported earlier this year that when Hillary Clinton, as Secretary of State, had requested a secure Blackberry she had been refused. Blackberry is Clinton’s preferred tool for answering emails, and a secure Blackberry had already been provided to Obama (and to Condoleeza Rice, Clinton’s predecessor).  Now this seems a very odd decision to me, Secretary of State is the third highest office in the US, and a role that would obviously involve a lot of email correspondence with the president, presumably of a similar “top secret” nature.

I’ve heard of the same thing playing out in different ways in companies.

  • Generic USB sticks were banned, the company provided USB sticks that had a nasty habit of corrupting movie files, and it was already impossible to email large files. So employees doing presentations outside the company would use a hotmail account to email the video to themselves so that they could play it at a conference or meeting outside the company.
  • When new board members wanted meeting notes electronically. The security advice was to give them company laptops. But these were people who travelled extensively and sat on the boards of several companies. Password protected pdfs were used as an interim measure, but longer term measures involved a secure site.
  • When security teams became aware of the possibility that social engineering techniques were being used on LinkedIn and specifically targetting company employees they blocked LinkedIn from the company network. Ignoring the fact that this just moved the risk to outside work hours, or via personal mobile phones.

In all these cases employees quickly found a work-around. In some cases the risk was reduced in this process, in others not.

As Tom Seo wrote in a recent Tech Crunch article “security is defined as a largely operational function, which in turn leads to reactive, incohesive decision-making”, and I think that security has been seen as an operational function for a long time with a defensive or reactive mentality.

To keep something perfectly secure we lock it away, put it in a safe, behind a wall, or in a fortress. But for companies there is no way to build an effective wall around a company’s digital information, since using that information is an operational necessity. Sure, we use the term “firewall” for a sort of digital approximation of a wall, but we still send information across a firewall, and use technology outside a firewall.

Years ago a security colleague said to me “we can no longer build a completely secure system; we have to choose which risks to remove and which to manage”. It’s a good start, but I look forward to the day when security teams think in terms of solutions rather than rules.

Image: water via pixabay

 

 

Doxxing

I heard this for the first time recently, despite being online for hours of every day for the last 15 years, and despite witnessing a couple of examples of it.

So what is it? Here’s the definition the Urban Dictionary gives, you’ll note it’s from 2008


Some examples;

  • in an anonymous forum someone figures out who you are IRL (in real life) and publishes your real name.
  • your social security number ends up on a site based in the former soviet union – and you’re the First Lady, Michelle Obama
  • the head of FBI’s home address was posted online (although an out-of-date address)

It sounds like a problem, and it could be in some cases, but it’s legal. Or at least it’s legal to re-publish public information.

If the information is obtained by hacking or by social engineering then a crime may have be committed, and if the information is used to infiltrate emails, commit fraud or to threaten someone that is a crime.

But publishing public information? Not a problem.

Which means we should all be smart about how much information we share online, but as the number of devices we use grows, and the amount we communicate online grows this gets harder.

image: address book via pixabay