Rossander’s Security Reader

I’ve joked before that Microsoft is evil. They’re easy to hate. My own opinion was equal parts rooting for the underdog (that is, anyone not MS), jealousy (why didn’t I think of that) and frustration at the low level of responsiveness that comes from any monopoly. I derided their security practices and settings while secretly acknowledging that writing good software is hard.

Well, a recent Wall Street Journal article changed the balance when they reported that Microsoft had the chance to completely reset the industry standards for privacy and deliberately choose not to. In early 2008 as they were planning for the Internet Explorer 8.0 browser, the product developers were building in tools and settings that would automatically defeat most common tracking tools unless a user deliberately switched to less private settings. Then marketing managers heard about the plan and, knowing just how much of their profits come from advertising, quashed the plan. The developers were forced to pull that code and changed the default setting back to the non-private mode. True, you can still make IE an almost safe browser if you know how but most people don’t have the skill or time to do so. Microsoft squandered a golden opportunity to take the moral high road and make the internet safer for all of us.

So what are your alternatives? You actually have quite a few – so many that the choice can be intimidating. Some people rave about Google Chrome. I don’t have much experience with it but given Google’s documented approach to privacy in their other applications, I’m skeptical. Apple’s Safari has its champions. If you’re already a Mac user, it’s probably a good choice. Opera also has its fans. Opera first introduced many of the features that are now considered standard for browsers and have some of the best features for users who have visual or motor impairments. They have a lead in mobile software (smart phones, Nintendo, WII, etc) but have never really caught on for mainstream users.

My preference, though, remains Mozilla’s Firefox. It has more users than any of the others (after Microsoft) so it has more developers watching for and fixing bugs. And it’s an early and prominent player in the open-source movement, a cause that I believe deserves support. (By the way, that means it’s FREE! Really. No strings. These people do it because they think it’s right.)

That said, there are a couple of features you need to turn on in order to be properly secure even with Firefox. In particular, here are two add-ons I strongly recommend – Adblock Plus and NoScript. They take a little getting used to but are well worth it for the added security they bring. You also have to make some choices in the Firefox settings themselves. In particular, you need to choose your cookie settings. I don’t think it’s realistic to disable all cookies. Too many are used to remember login information and make the websites work. Under Tools/Options and the Privacy tab, check “Accept cookies from sites” but then change the Keep Until setting to “I close Firefox”. I also recommend checking the “Clear history when Firefox closes” button. Use the “Exceptions” button to permanently allow the common, reputable sites you visit such as Yahoo, Amazon, Google, etc.

Do all that and you’ll have a reasonably secure browser. And maybe someday the bureaucrats at Microsoft will realize that they are squandering a chance to be the good guys for a change.

I’m not a huge fan of Stephen Colbert but he occasionally has some very interesting things to say about privacy. The Electronic Freedom Foundation recently highlighted his video article on solving the problem of young people posting things online that they will later regret.

As EFF very creatively put it, “the CEOs of Google and Facebook can be astonishingly tone deaf [about] the privacy of their customers.” To live up to their view of the world, you either have to be a superhuman saint or a faceless drone with a life so boring that you may as well not even exist. They have a financial incentive to set the bar that high because the alternative is to stop them from datamining and profiting from our private information.

Germany is experimenting with some interesting privacy laws which may start to rebalance private and public rights. They have successfully taken on Google Street View and are working on a number of other privacy issues. Of course, there’s no guarantee that the US would or even should follow Germany’s lead but we should watch it carefully.

In the meantime (and in the CEOs’ defense), I have to agree with the core principle that if you would be embarrassed to see it on the front of tomorrow’s newspaper, maybe you shouldn’t be doing it. Or at least don’t advertise it by posting the incriminating picture yourself for the whole world to see it.

This week’s post isn’t strictly a computer security topic but it’s a core privacy issue and I think that’s close enough.

Time magazine ran an article recently asking Should Videotaping the Police Really Be a Crime? The article tells the story of Anthony Graber, a Maryland Air National Guard staff sergeant, who faces up to 16 years in prison for posting a videotape of a traffic stop on YouTube.

Apparently, Graber keeps a video camera on top of his motorcycle helmet to record his journeys. He got a little too enthusiastic this time, popping a wheelie and going 80 in a 65 mph zone. The camera was rolling when an unmarked gray sedan cut him off as he stopped behind several other cars at an exit from the interstate. A man in a gray pullover and jeans got out of the car wielding a gun and repeatedly yelled at Graber, ordering him to get off his bike. Only then did Maryland State Trooper Joseph D. Uhler identify himself as “state police” and holster his weapon. Graber got a speeding ticket which he says he deserved.

Anyway, even if you deserve the speeding ticket, I can understand being upset about the traffic stop. Uhler should have known better and was certainly trained better – plainclothes police must identify themselves before they can have any expectation of obedience. If someone jumps out of a car screaming and waving a gun at me, I only hope I can react as calmly as Graber. Rather than file a formal complaint, though, Graber did what many do these days when dissatisfied with the service whether it’s of a company, a restaurant or the government – he posted his experience online.

Fast forward one month to April 8 when Graber is woken up as six officers raiding his parents’ home in Abingdon, Md., where he lived with his wife and two young children. They arrested him and confiscated four computers, the camera, external hard drives and thumb drives. He learned later that prosecutors had obtained a grand jury indictment alleging he violated state wiretap laws by recording the trooper without consent. Maryland is one of 12 states which require all parties to consent before a recording might be made if a conversation takes place where there is a “reasonable expectation of privacy.”

My apologies for the long introduction but we’re finally at the privacy issue: Does a traffic stop conducted in full view of the public and on a public roadway ever constitute a situation where there is a reasonable expectation of privacy? For that matter, is any official action by a law enforcement officer a private act deserving of that kind of protection from scrutiny? How do you square this criminal charge by the prosecutors with the COPS mentality where homes are invaded and suspects arrested on TV? (The perpetrator must sign a waiver or have his/her face blurred but no such waivers are requested of family members and other bystanders.)

I am extremely uncomfortable with the position taken by these prosecutors. In my opinion, an arrest or even a stop for questioning is an inherently public act. The State might have an obligation to protect the privacy of the suspect (since he/she still retains the presumption of innocence) but no such protection applies to the officer of the State. Nor should any such protection be needed – if an officer is behaving appropriately, why should he/she be worried about being filmed? That’s the argument trotted out by prosecutors in favor of the traffic cameras and other forms of public monitoring, after all. And it applies even more so since the officer is acting in his/her official capacity rather than a citizen’s private act of driving.

Third-party filming presents a more complicated question but in this case I think the suspect’s act of videotaping can be taken as implied consent.

Unfortunately, the Graber prosecution is not a rogue act. Prosecutions for videotaping of police encounters appear to be on the upswing. And even if they don’t win the legal case, the very threat by the police is intimidating and chills our society. Few people have the will to risk jail to defend their rights. Graber’s case may still be thrown out (his hearing is scheduled for October) but his lawyer says that “the message of intimidation has already been sent.” Graber says that he is afraid of police now and so nervous driving that he has put his motorcycle up for sale.

I’ve done a little digging into the debates around the time that Maryland and others were writing those wiretapping laws. From everything I can tell, they were written to protect us from state-sponsored intrusions into our privacy unless and until the state gets a warrant explicitly authorizing the intrusion. Can anyone find a differing opinion in the record?

So back to privacy at your company. If I believe the police should be transparent in their dealings with the public, I should hold myself to the same standard. Can an employee videotape an encounter with another? What about recording a meeting with a manager? Do they need to disclose it? What will you do when they don’t? With the advent of cellphone-based cameras, I don’t know if you could stop the recording even if you try. Disgruntled employees keep notes on their coworkers – they always have. This is different only in degree.

Ideally, we should all behave in such a way that we’d never be embarassed if something showed up online. That’s a very high standard of professionalism. We teach people over and over to make that assumption when writing emails. Now we have to think about it all the time. Are your people up to it? Are you?

Papers around the country have been carrying an Associated Press story about a “new” ID theft threat. Apparently, they just discovered what we’ve been talking about since 2005 or so – that minors are every bit as much at risk of identity theft as the rest of us. You can read a copy of their article here. It’s not as new as they make it out to be but it’s a good article. They do a good job explaining how some of the scams work.

ID thieves like to find SSNs for minors because they know it’s a clean number with no adverse information. They can open accounts in the child’s name and exploit them for years – maybe until the child starts applying for financial aid for college.

Check your own credit report regularly. You are eligible for a free report every 12 months from each of the three major credit reporting agencies through annualcreditreport.com. I recommend looking at one of the three every four months – you get an 80% view but three times as often.

At the same time, check your kids’ credit reports. You can’t use the same online site, though. You’ll have to send a physical letter to the credit reporting agency. Be sure to include your child’s complete name, address, date of birth, a copy of the child’s birth certificate and social security card. You’ll also have to send a copy of your driver’s license and a current utility bill containing your current address. If everything is clear, you’ll get a letter back that they can’t find a record for that ID.

The Wall Street Journal ran an article the other day about a new profanity policy. The policy is a spinout from the public embarrassment they got during a Senate hearing back in April. Some of the traders’ blunt and explicit comments about the securities they were selling were read on the Senate floor. (It was the first time I’d heard CSPAN bleeped out.) Ignoring the ethical issues of selling a product that you don’t believe in, Goldman is trying to reduce the potential for future embarrassment by cleaning up their language before the next time.

I have mixed opinions about the new policy. On the one hand, that industry has a very macho image. Profanity is an ingrained part of their culture. Profanity recognizes and reinforces the aggressive attitudes valued among the traders. Profanity can show the passion of the speaker. And, arguably, it helps in bonding and cultural norming. Similar trends are common among soldiers, journalists, police, some sports teams, etc. The language is offensive to outsiders but, in some ways, that’s the point. It becomes part of the group identity. And as long as it’s limited to the insiders who participate by choice, well, you should be cautious about changing the a successful culture.

Having said all that, I think the new policy is a good one. Clearly their behavior has gone too far. It was adversely impacting the business and needed to be reined in. More than that, the informal language leaked out of mere speech and into their emails, creating a permanent record that will inevitably be exposed to outsiders who do not participate in, understand or appreciate the ingroup’s culture – outsiders who may be deeply offended by the choice of language. That’s just inexcusable.

As we’ve often talked about before, emails are official business communications and must be treated as such. They deserve all the thought and professionalism that we used to put into a formal memo back in the days of carbon paper and typewriter ribbons. If you’d be embarrassed to have your email read in church or quoted on the front page of the newspaper, then you should rethink the message.

But I’m not such a fan of the automated filters that Goldman and others are using to enforce their policy. Profanity filters try to identify the offensive words and, depending on the company’s settings, return the email to the sender, block the email or allow the message to go through but flag a copy to HR. The filters use long lists of keywords, usually including common abbreviations and aliases (like adding ** in place of the vowels). The problem is that the offensiveness of a message is often dependent on context. As soon as you get a list long enough to be even marginally effective, you will inevitably suffer false positives.

As an example, my company tried to do something similar as a spam filter a few years back. In hindsight, it’s not really a surprise that construction companies (many of whom were our customers) use the word “erection” in legitimate business messages. BS can be a pejorative abbreviation or a respectable undergraduate degree. POS can describe a defective piece of hardware or your Point Of Sale register (and, yes, your POS can be a POS if you bought from the lowest bidder).

I should note that some of the most advanced filters now claim to be able to differentiate meaning based on the context of the message. They do alright for spam filtering and are showing promise for some other purposes but I don’t think they’re ready for use as profanity policy enforcement. The English language is too loose and our people are too creative. Very few of the filters would correctly parse the paragraph above and none can keep up with the changing acronyms and innuendo that people employ to dodge the censors. My prediction is that the filter will have some short-term shock value but the real change will only come when managers do their jobs – teaching employees the new standards, leading by example and holding people accountable when they backslide. That’s the only real way to change the culture.