Companies that sell antivirus or anti-spyware packages often sound like they’re using scare tactics to sell their wares. Selling based on fear is a common tactic, i.e. “buy a Foo Corp home alarm system or your family will be massacred!” This tactic is used to boost sales in many product lines. Thing is, it’s not always unwarranted fear. People do break into houses, residents are occasionally murdered in their beds (though not nearly as often as alarm companies want you to believe), and, yes, antivirus software does help keep the bad guys out.

Maybe no example of the need for such software is as clear as a recent one involving a family accused of peddling child porn via their PC. The one I’m referring to “involved Michael Fiola, a former investigator with the Massachusetts agency that oversees workers’ compensation. In 2007, Fiola’s bosses became suspicious after the Internet bill for his state-issued laptop showed that he used 4 1/2 times more data than his colleagues. A technician found child porn in the PC folder that stores images viewed online.”

Needless to say, Fiola was fired and prosecuted for these perceived offenses. He and his wife spent their life savings — about $250,000 — defending themselves against the charges. Eventually they had the system inspected by a computer forensics specialist. The scan “revealed the laptop was severely infected. It was programmed to visit as many as 40 child porn sites per minute — an inhuman feat. While Fiola and his wife were out to dinner one night, someone logged on to the computer and porn flowed in for an hour and a half.” [italics mine]

After a long fight, and using the forensics report as evidence, Fiola was finally exonerated. But the money is gone, along with his and his wife’s health. What’s worse is that “about 20 million of the estimated 1 billion Internet-connected PCs worldwide are infected with viruses that could give hackers full control, according to security software maker F-Secure Corp.”

Is your PC on that list? Could you suddenly find yourself at the receiving end of legal action? If you’re at all worried about this, and you should be, go buy (and maintain!) a good antivirus/anti-spyware/firewall package for your machines.

Cloud computing, “information on demand,” or “application service providers” — it doesn’t matter what name you use. The basic concept behind all these ideas is that networking should enable people to stop buying and installing applications locally on their PCs. In 2000-01, the “ASP” model intended to move most (if not all) applications to central providers, like Jamcracker and other startups. Data would live locally, while applications ran over the net. It succeeded…somewhat.

Then, a few years later, “on demand” computing became the new buzzword. This was the idea of moving not only applications, but also computing horsepower (i.e. CPU cycles and so forth) to the network. IBM and others got into this model, and are still pushing it today. Overall it’s a good idea. Why go buy a bunch of big iron (i.e. servers, computing systems, and storage) if you only need it now and then? It’s really just a newfangled way of doing what we called “timesharing” in decades past.

Then the “cloud” idea popped up. That moved not only applications and compute cycles, but also your data to the service provider’s systems. Under this model, you basically need only PCs with browsers and email (and maybe not even the latter) in house. The rest lives on virtual servers at your provider’s location. You use that horsepower as needed, and pay the bill at the end of the month.

However, Microsoft is behind the curve in terms of Cloud implementation…and it threatens their business model. So they’ve attempted to introduce some FUD to “warn” people about possible shortcomings of this new computing model. They’re trying to introduce some privacy concerns, which are definitely justified, in order to warn people away.

Of course, keeping the current “buy your software and you own it” model works just fine for the folks at Redmond. So they’re correct in saying that “privacy protections are essential to building the customer trust needed for cloud computing and the Internet to reach their full potential.” But behind that noble-sounding statement is the company’s worry that customers will rent, not buy, software and systems in the future.

Caveat emptor.

Today a friend posted an article about the ACTA (Anti-Counterfeiting Trade Agreement) treaty to his Facebook account. It was the first I’d heard of this work, so I decided to have a look at some of the information currently circulating around the Internet about it. At first glance, one would think it’s designed to help slow the tide of illegal Chinese or Russian copying of DVD and other material. However, the negotiations have been labeled as part of “national security” and therefore aren’t available for review by the public.

This is simply idiotic.

Currently, groups like the EFF (Electronic Freedom Foundation) and other civil liberties groups are opposing the treaty as it’s currently written. The problem is that very little information about specific aspects of the negotiations are available. Only one allegedly leaked document has emerged so far. According to the EFF:

A document recently leaked to the public entitled ‘Discussion Paper on a Possible Anti-counterfeiting Trade Agreement’ from an unknown source gives an indication of what content industry rightsholder groups appear to be asking for – including new legal regimes to “encourage ISPs to cooperate with right holders in the removal of infringing material”, criminal measures, and increased border search powers. The Discussion Paper leaves open how Internet Service Providers should be encouraged to identify and remove allegedly infringing material from the Internet.

If true, it casts ISPs in the role of network cops who are supposed to effectively monitor traffic traversing their networks and report infractions to some enforcement body. This is totally in opposition to the concept of the ISP as Common Carrier (like telecommunications companies, which effectively they are). It smacks of Soviet-style surveillance of communications among dissident or other suspicious groups. But is this an accurate assessment?

We don’t know where the “leaked’ document came from. It may be completely legitimate, which means the ACTA should be opposed vehemently by anyone with a brain. If passed and signed in its allegedly current form, it means your iPod or laptop could be searched at any border, and any “illicit” material confiscated. It means you could be arrested for sharing a 1980s rock video on YouTube (which may not even exist anymore due to copyright concerns).

This is the problem with the government blindly labeling so many proposals and treaties as “national security” risks. If people could locate and read the actual text as currently proposed, there’d be far less ambiguity. We’d know exactly what it says and how enforcement is to work. Was the “leak” created by some anti-treaty nut trying to inflame people about the negotiations? Or is it an actual component of the ACTA material? We don’t know.

Write your Representative and Senator. Demand the sort of open access and transparency that the current administration claimed to support in its dealings. The rights you lose will be your own.

One of the advantages of social networks is that they can put you in contact with old friends, schoolmates, and co-workers. With a few clicks, you can reach out to people you haven’t seen in decades (presuming you’ve been alive that long), and meet up with like-minded people.

However, one of the disadvantages of social networks is that they can put you in contact with people you’ve never met, whose profiles may be bogus, and who might not be the nicest people in the world. They’re a lot like talking over CB radio: the person on the other end of the mike might claim to be a stunningly beautiful college student (of whichever gender) living just across town. But they could turn out to be a 14-year old kid using a hijacked account, or a 50-year old stalker looking for their next victim.

This isn’t to say you should be paranoid online, but you should be careful. This is even more apparent when you take the ACLU’s Facebook Privacy Quiz and find out how much information might be accessible to people you don’t even know.

If you set up a default FB account and never adjust the privacy settings, your profile can be picked up and published externally by various search engines without your knowledge. And if you subscribe to any of the popular quizzes that frequently show up on Facebook, your profile information becomes immediately accessible to those applications. Answer some questions in the “Which Tolkien Character Are you?” quiz, and some guy in Lithuania might gain access to all your photos, posts, friend lists, and other information.

Facebook itself has a privacy policy, and claim that developers must adhere to it. But you can set yourself up as as Facebook application developer using nothing more than an email address, so how much checking really goes on? Probably very little, since hundreds of applications and quizzes pop up on a daily basis.

Take the quiz. Then follow the ACLU’s suggestions about your profile settings. Lock them down so that only friends, and friends of friends, can see your information. Don’t provide unnecessary levels of information regarding your personally identifying data to any social networking site (especially your full birthday, phone number, or other sensitive information). Protect your privacy.

Everyone is vulnerable to identity theft. Leave a utility bill, credit card receipt, or (worst of all if you’re an American) your Social Security info lying around in the wrong place, and you could be in for a world of hurt. But it’s also pretty obvious that some people are far better marks than others. The more you’re worth, the more you can lose.

I suspect many of us have an “it won’t happen to me” attitude about cyber crime, but now you can check your risk using a new Norton site that, after a few quick questions, can tell you how much you have to lose online. In a few minutes you can find out how much your online assets are worth, how much your online identity would sell for on the black market, and your overall risk of becoming a victim of identity theft.

I took the test, and got a risk level of “medium” (no idea how that was arrived at). Many of the questions are relatively obvious, asking whether you do online banking, use social networking sites, and other services that could potentially reveal information to criminals. What was appalling is that, based on my answers, I was told that a criminal would be willing to pay as little as $30.59 to obtain a copy of all my personal data. I guess I’m worth more than I thought, since I answered that they’d be willing to pay $10!

Naturally, Symantec wants to sell you some software as well. But they claim they’re not trying to instill fear or paranoia — neither of which are useful anyway. They’re trying to raise awareness, and are hoping IT managers and others will send users to the site.

I’ll say it again: security is hard. We all have to remember to lock our cars and homes, to monitor the location of our credit cards and licenses, and to shred information before putting it in the bin. The same rule applies for online security — you have to think about not revealing information on a web site that purports to represent a legitimate business entity. Don’t be paranoid, just be vigilant and careful. Remember that criminals can assemble your whole life history using bits of data gathered from multiple locations. Be careful where you click, and what you tell others.

If you’re still using WEP (Wireless Encryption Protocol) to secure your wireless networks, you’re basically wasting your time. Thiis is especially true now that WPA has been hacked (using a practical attack against a known vulnerability) in less than a minute. That’s incredibly bad news, especially since so many sites use this level of encryption to “protect” data.

The situation is clear. “Unfortunately, many companies in the payment card industry are still using WEP, and many more have upgraded to WPA only to find that neither technology is now secure.” The WPA attack has been known for some time, but only recently has been demonstrated in a real situation. Theoretical attacks are one thing…but they’re irrelevant unless someone shows they can be put to practical use by hackers and others with limited resources.

So the best bet is to move to WPA2, since it is (at least for now) secure and unbroken. This said, the hack to WPA doesn’t mean you need to move your home network to WPA2…unless you regularly gain access to restricted data or confidential information, and there’s a reasonable chance someone is listening in. I live in a fairly remote area, and there are no nearby WiFi networks. The likelihood that someone will be listening in on my transmissions is next to zero.

The people who really need to worry are those in financial services, health care, and other businesses whose daily activities involved sensitive data. In these situations, someone could easily drop an unauthorized device in the right location and potentially listen in on WPA-encrypted business traffic. For these businesses, probably the only option is to upgrade to WPA2 as soon as practically possible. This version of WPA adds NAC to help automate key management as well as RADIUS based authentications. It hopefully it provides proactive security that will make it more secure over a longer term.

Nothing is guaranteed…an announcement of a WPA2 crack could occur at any time. Until that happens, it’s the best wireless encryption you can get from a practical sense.

Recently a colleague asked if I’d ever looked myself up on a site called White Pages. I’d actually never heard of it, and decided to take a look. As it turns out, I entered my name and discovered the site not only had recorded my current address, but all previous addresses right back to my childhood.

I checked a few other family members and discovered all their information (minus unpublished phone numbers) was available on this site. Several work in somewhat sensitive jobs, and are not all that happy that this information is being published on a site without their knowledge. What’s sad is that a search on my (unusual) surname also turned up both my parents and one uncle, all of whom are long deceased. I don’t even know what point there is to this.

Apparently the site obtains all this data by crawling public records sites, retrieving the information, then publishing it without notifying the owners of the records (that’s you and me, incidentally). You can, however, have your records removed by filling out a form on the site…which I did immediately, though apparently they may re-crawl the information at a later date and publish it again.

That citizens are required to opt out of a scheme they may not even be aware exists is yet another case for regulating this practice. Opt in should be the norm. No one should be required to petition a company for removal of information they hadn’t authorized for release.

The company that manages the site isn’t even a telecommunications provider — it’s just some nameless information aggregator trying to make a buck. Write your Representatives and Senators…demand data privacy laws so we can end these practices. Sites that publish such information (pipl.com is another good case) are ideal hunting grounds for stalkers, identity thieves, and others who would just love to get hold of more information about likely victims.

Not convinced? Visit a site called Intelius.com and search for your own name. For $.95 anyone can buy a report detailing your full name, date of birth, and other key facts, including your average income and value of your home. For $40, they can also obtain marriage, divorce, and other records. And yes, that means anyone — not just people you’ve authorized to obtain such information.

How wrong is this?

Everyone who uses Facebook should be careful which applications they allow to access their profile, as shown by this recent incident. Likewise with any of your personally identifying data (full name, address, birth date, etc.).

While Facebook is pretty good about policing its content, many application developers are probably just gathering statistics (name, age, other demographics) using the application as a cover. Think of those “win a free car” paper applications in stores–what really happens when you fill one out is that you’re added to a local dealership’s mailing list.

Example: if you click on one of the polls or IQ tests, you may see photos of your friends at the top. This is the application pulling data from their profile.

Question: if the app is able to pull photos from user profiles, what else is visible to it?

Answer: anything you’ve allowed it to access in your profile settings.

I strongly suggest navigating to the “Settings” portion of Facebook and checking through some of the options. If you have things that are set to “everyone” (meaning anyone on Facebook can see this info) you might want to back it down to “friends only.” If you’re allowing your name, marital status, full birth date, and location to be viewed by “everyone,” you’ve just given an identity thief enough data to hijack your life. This is pretty much all the info you’d need to get a bogus Social Security card issued.

Also go to Settings->Application Settings and change the view from “recently accessed” to “authorized.” This will give you a reasonably full view of everything you’ve given access to. If you’re not actively using a given app, click on the X to remove its access to your profile. Or, if you want to retain access to an application, change the privacy settings from “everyone” to “only friends.” The same concept applies to all other social networking sites.

Basically, don’t allow others access to your personal info unless you absolutely know where it’s going.

I’m old enough to remember the original “Mission: Impossible” TV series and its opening scene, which always included a tape recorded secret message that self-destructed ten seconds after it was played. My brother and I always thought it was very cool, and wondered how you’d actually do that on a reel-to-reel tape (I suggested an acid capsule that shattered once the tape was played). Oh, how times have changed.

Now we transmit nearly everything via digital means, and the problem of message destruction remains. In fact, companies are in a bind because they may be retaining encrypted messages for which they have no decryption key (maybe an employee has left the company and their key is no longer available). If the company is subpoenaed and required to disclose all documents related to a given case, they can be held in contempt for failing to decrypt stored messages due to lost keys.

However, there’s another problem: what if you want messages to vanish after a specific period of time? It turns out there’s an interesting new solution from the University of Washington. Known as “Vanish,” it’s designed to digitally shred documents after a given period by “shattering” an encryption key kept not by the sender and recipient, but on a remote network.

With this unique solution, this key is “held by neither party in an e-mail exchange but is widely scattered across a peer-to-peer file sharing system.” It’s especially applicable to data held in “Cloud” computing networks, which are often not directly under the control of the data’s owners. It appears the key can be renewed periodically by the sender or recipient, but if it expires (let’s say some third party copies the file or email off the network covertly, storing it on a Flash drive…) then the file is instantly inaccessible and unrecoverable. No key, no data. This means a file stored using Vanish couldn’t come back to haunt a company or individual years after it had allegedly been deleted from a server.

As with all encryption schemes, the new technology is a bit problematic. Both sides need to use the Vanish plugin or application in order to access the encrypted mails. The legal issues are, as usual, muddy. But it’s another weapon in the digital security arsenal, which is never a bad thing.

No acid required.

Recently a relative was experiencing hip pain, and her doctor scheduled “imaging studies” (back in the day, they would have just said “X-Rays”) in order to diagnose the problem. The studies actually consisted of a pretty thorough MRI (Magnetic Resonance Imaging) series, with contrast, in order to see what problem might be lurking in her hip joint.

Once the studies were done, she needed to take a copy of the “films” to her orthopedic doctor, and also wanted to have another surgeon review the results. So today we walked into the MRI center and requested a copy of the studies. The administrator said “sure, we can do that right now. Wait here.” Fifteen minutes later she handed us — a CD.

I was immediately curious. Were the files on the disc in an encrypted format? Were they written in a specialized file format readable only by hospitals with sophisticated gear? We opened the envelope containing the disc, and found that it contained not only the studies themselves, but an embedded Windows application that could view them. Popping the CD into a local drive brought up the viewer, which allowed us to not only look at the studies, but read the Radiology report and step through the various views (there were 7, all from different angles). Clicking on an image produces a matching crosshair on other images in the set, so you can isolate exact anatomical points for further viewing.

Full 3-D imaging studies. All on a PC.

You can say goodbye to the days of lugging around packets of physical (and easily scratched or damaged) X-Ray films or MRI images. Now you can carry your medical records on a few CDs or DVDs, and anyone at any hospital can probably read them without specialized software. The diagnostic tools provided by technology are pretty incredible overall. This type of information was almost unimaginable only a decade ago. Who knows what the next decade will bring?

But of course, the same caveats apply. Portability and easy access also means it’s easier to lose, and simple for anyone else to view. If you do keep copies of your own medical data at home, keep it under lock and key.