Rossander’s Security Reader

This is a bit off the path of information security but I wanted to share an excellent article on why you should distrust 90% of what you read (including, unfortunately, much of the computer security advice out there).

The Atlantic published this interview with Dr John Ioannidis, a medical researcher who has dedicated his career to showing that “much of what medical researchers conclude in their studies is misleading, exaggerated, or flat-out wrong.” This is true even in the ‘gold-standard’ peer-reviewed studies. The biases of funding and publication pressure are too much to overcome. Worse, even when the studies have been overturned, the medical community continues to rely on the old, disproven theories.

While his study and his research are based on medical journals and medical research, his findings are applicable to everything from physics to economics to computer science.

You can also read Dr Ioannidis’ original paper at PLoS Medicine. He lays out a detailed mathematical proof that, “assuming modest levels of researcher bias, typically imperfect research techniques, and the well-known tendency to focus on exciting rather than highly plausible theories, researchers will come up with wrong findings most of the time.” He wrote a follow-up article here specifically discussing the distortion caused by publication practices. I recommend both for anyone with an interest in the scientific method and/or an interest in sorting truth from rumor among the deluge of “good advice” on the internet.

For several years now, I have smugly been talking about the weak privacy standards of Google and Facebook, confident that my providers were better than that. Well, it turns out that Yahoo is guilty of the same things. Yes, I use the Yahoo webmail service and I’ve been very happy with it. And, yes, I strongly recommend that everyone have a personal webmail account that is unconnected to your current work email.

Anyway, about three months ago, Yahoo launched several information sharing services. If you use the Yahoo Contacts feature, other people in your address book would be able to see what you’ve been up to – postings, connections and other activities within the Yahoo sites. And you can see information about them.

In principal, I have nothing against features that let us share information with others. My problem is the underhanded way that these companies roll the new features out. I never received any announcement about them and certainly got no training on my options to control the information they would be sharing. Worse, the default settings are “share all”. You have to know to look for and then take deliberate action to restrict the sharing. I didn’t even notice the change for months. If these companies really cared about security, the defaults would be rolled out the other way.

If you are a Yahoo user and you use their Contacts feature, here’s how to lock the program back down:

1. Log onto your Yahoo Mail account.
2. Click the Contacts tab at top left.
3. Click the Tools dropdown and select ‘Seeing Updates from …’
4. For a full lockdown, uncheck both the master settings at the top of the screen (‘Share my Updates’ and ‘See Updates in Yahoo Mail’)

If you like the sharing but want to restrict it to the people you are actually close with (rather than every random business contact that you’ve ever added to your Blackberry), go through the list and select the ‘Stop Getting Updates’ at the right of the contact’s name. You can also get a little more granular control using the ‘Manage my Updates’ link near the top left of the page. But blocking everything is easier.

The Yahoo Calendar also has some Sharing settings but since I don’t use their calendar feature, I don’t have good advice for how to lock it down. Any suggestions from people who do use it?

Senator Patrick Leahy just introduced the ‘Combating Online Infringement and Counterfeits Act’ (COICA). As the Electronic Frontier Foundation notes in their press release, this is an egregious power grab by the government. This bill would allow state Attorney Generals to arbitrarily designate entire internet domains as “infringing” and require domain registrars/registries, ISPs, DNS providers, and others to block Internet users from reaching those domains. Worse, the bill allows the US Justice Department to create its own blacklist with even more intrusive restrictions and fear-inducing penalties, all without any judicial review, much less an actual conviction that something illegal really happened.

The thinly veiled excuse of “copyright protection” ignores the massive potential for abuse on the part of overzealous prosecutors and bureaucrats. It tramples on the First Amendment rights of other potential users of the domain, requiring not merely that the specific infringing content be taken down but that everything else on the site, all the blogs, images and any legitimate content be made inaccessible as well.

The US is supposed to be the leader in freedom. This bill sends a message to the rest of the world that we don’t really believe what we say – that censorship is acceptable. This is a very dangerous and patently unconstitutional bill.

Please take a minute to read EFF’s article. But more important, WRITE YOUR SENATOR opposing this bill.

Joshua Gilliland writes an excellent blog on many legal issues. Today’s posting about a recent court case in California is a disturbing story. Please go read the full version.

The issue at hand is the government’s right to track you as you go about your business. The case involved a suspected drug dealer. The police planted a GPS tracking unit on his car and compiled full records of his movements over several days. They found evidence of illegal activity and convicted him. He appealed, arguing that the way the police collected the evidence violate the 4th Amendment.

At the risk of defending a convicted drug dealer, there are some very disturbing aspects of this case.

First is the Court’s determination that bugging your car with a GPS is fundamentally the same as bugging it with an older “beeper” technology. GPS is far more intrusive and more capable. It is not limited to proximity, it’s always on and it is far more precise in the location reported. And while my location at any one store may be a public action, there is no easily public way to aggregate that information. So even if an individual trip out of the house is public, I still retain an expectation of privacy for the pattern of trips.

Second is this Court’s determination that your driveway is “public” – that you have no expectation of privacy on a car on your own property. From the available reports, the police invaded the suspect’s property to plant the bug. Their argument was that the gas meter reader and postman have rights to come to your front door, therefore the police have a right to come onto your property, too. Their argument for doing so is, in my opinion, weak. The limited right to come onto my property for a defined purpose (and in compliance with an implicit contract for service) does not equate to an unlimited right of access. I do not, for example, sacrifice my rights to allege trespassing by vandals just because the postman delivers mail.

The most worrisome point, though is that both these concerns could have been made moot if the police simply asked for a warrant before attaching the bug. The government’s assertion of a right to do this without a warrant is what makes this such a very concerning precedent. Like Josh, I hope that the Supreme Court accepts the appeal and overturns this standard, preferrably sooner than later.

I’ve joked before that Microsoft is evil. They’re easy to hate. My own opinion was equal parts rooting for the underdog (that is, anyone not MS), jealousy (why didn’t I think of that) and frustration at the low level of responsiveness that comes from any monopoly. I derided their security practices and settings while secretly acknowledging that writing good software is hard.

Well, a recent Wall Street Journal article changed the balance when they reported that Microsoft had the chance to completely reset the industry standards for privacy and deliberately choose not to. In early 2008 as they were planning for the Internet Explorer 8.0 browser, the product developers were building in tools and settings that would automatically defeat most common tracking tools unless a user deliberately switched to less private settings. Then marketing managers heard about the plan and, knowing just how much of their profits come from advertising, quashed the plan. The developers were forced to pull that code and changed the default setting back to the non-private mode. True, you can still make IE an almost safe browser if you know how but most people don’t have the skill or time to do so. Microsoft squandered a golden opportunity to take the moral high road and make the internet safer for all of us.

So what are your alternatives? You actually have quite a few – so many that the choice can be intimidating. Some people rave about Google Chrome. I don’t have much experience with it but given Google’s documented approach to privacy in their other applications, I’m skeptical. Apple’s Safari has its champions. If you’re already a Mac user, it’s probably a good choice. Opera also has its fans. Opera first introduced many of the features that are now considered standard for browsers and have some of the best features for users who have visual or motor impairments. They have a lead in mobile software (smart phones, Nintendo, WII, etc) but have never really caught on for mainstream users.

My preference, though, remains Mozilla’s Firefox. It has more users than any of the others (after Microsoft) so it has more developers watching for and fixing bugs. And it’s an early and prominent player in the open-source movement, a cause that I believe deserves support. (By the way, that means it’s FREE! Really. No strings. These people do it because they think it’s right.)

That said, there are a couple of features you need to turn on in order to be properly secure even with Firefox. In particular, here are two add-ons I strongly recommend – Adblock Plus and NoScript. They take a little getting used to but are well worth it for the added security they bring. You also have to make some choices in the Firefox settings themselves. In particular, you need to choose your cookie settings. I don’t think it’s realistic to disable all cookies. Too many are used to remember login information and make the websites work. Under Tools/Options and the Privacy tab, check “Accept cookies from sites” but then change the Keep Until setting to “I close Firefox”. I also recommend checking the “Clear history when Firefox closes” button. Use the “Exceptions” button to permanently allow the common, reputable sites you visit such as Yahoo, Amazon, Google, etc.

Do all that and you’ll have a reasonably secure browser. And maybe someday the bureaucrats at Microsoft will realize that they are squandering a chance to be the good guys for a change.