Once it’s out, it’s out

November 15, 2008 in en, privacy, security

Have you ever said anything you wanted to take back right after you finished the sentence? Well maybe you got lucky and there were only a few people around. But once you put something on the web, it’s there forever. Internet doesn’t have concept of delete button.

There is always omnipresent cache and archives, so even deleting content from you site doesn’t help. This happened recently when Apple pulled biography of their new executive Mark Papermaster from their website, after court barred him from reporting to work in Apple until his lawsuit with IBM is closed. I will not go into details (you can read Ars Technica coverage of the issue) because my point lies elsewhere. You can say what you want, if it is connected to the Internet it is public FULLSTOP

Internet is full of stories where people wanted to hide their humiliations and errors from public by injunctions, lawsuits and whatnot. The end result is almost always Streissand effect. If you read the wiki, there are some nice examples why you should keep your private things private. Once it’s out, trying to censor it will only make it worse (the more famous/sexy you are the worse for you). It might be a good time to read guides to privacy right now. I know you are not going to do that anyway, but it is still my dream that once, a new generation will be able to protect their privacy online. Unfortunately anecdotal evidence suggest otherwise.

By the way. Anyone knows a simple list of things to improve your privacy online?

Earn money sending spam!

November 14, 2008 in en, privacy, security

Seriously. According to joint study by security researchers, Storm botnet can create as much as $ 3.5M of revenue per year. It was definitely one of the most ingenious research and analytical papers I have read so far.

In order to measure effectiveness of spam campaigns, researchers joined Storm botnet with bots that were used to conduct MITM attack on Storm itself. These bots changed spam campaigns slightly and redirected targets of spam campaign (users) to servers controlled by researchers. These servers mimicked websites of spammers and counted number of visitors and number of actual victims who fell for the scams and provided their information (credit card number, social security number, etc.). If the results are correct, spam campaigns are effective in less than 0.00001% of cases. This number is indeed extremely low, but if you consider size of the Storm and number of emails that it sends every day, you get to more interesting numbers ranging from $7000 to $9500 of revenue per DAY.

I left out few interesting details so if you have some time, consider reading the whole paper (12 pages).

We need CAPTHHA

October 11, 2008 in en, privacy, rant, security, software engineering

I am pretty sure everyone has seen CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) before. Maybe you didn’t know the (full) name but you have encountered it when registering accounts, posting comments or accessing some parts of web. You know, those annoying things that are exercising your ability to recognize distorted words with weird backgrounds.

CAPTCHAs are used to protect against automated attacks. For example automatic registration of new users on Gmail would create great opportunities for spammers. CAPTCHAs are mostly working, even when they get “hacked” from time to time. The biggest problem? They are reaching levels where even humans are having problems reading the letters. I still have nightmares when I remember CAPTCHAs used on RapidShare. Telling cats from dogs was not that easy for me somehow. I am not sure about “hackability” of reCAPTCHA, but as far as usability goes, it’s one of the best ones for me. Too bad only a few sites are using it.

The main problem of CAPTCHAs is not the complexity but relay attacks and human solvers from 3rd world countries paid for solving thousands of CAPTCHAs a day. What we really need is CAPTHHA (Completely Automated Public Test to tell Humans and Humans Apart). Computer science is far from being able to tell humans with “clean” intentions from those being paid to get past the defences. One solution would be to issue certificates of “humanity” signed by central authority. You could then ban users that were misusing their certificates. There are of course privacy and security problems with this approach, not to mention financial “issues”, so I guess this is not how it’s gonna work.  Other approaches have also been tried, but they usually have problems with disabled people. I am certainly interested how Computer Science solves this problem.

Dropbox

September 24, 2008 in en, open source, privacy, software

I had this in my “almost-finished-near-ready-to-publish” folder for some time already. Past week was again a little crazy in my personal life, so no real time to finish this small piece until now… :)

Do you frequently switch between two computers not connected with local network? If so, I guess you wanted to share data between them at least once before. It used to be a hassle. Now it’s easy. Dropbox started public open beta-testing of their service few weeks ago. If you haven’t heard of Dropbox here is my little intro. Dropbox is essentially centralized version tracking accessible from anywhere without need to configure anything. You copy files you want to share with other machines to your Dropbox directory and they are automatically uploaded to Dropbox server. If another machine on the other end of the world is running with same Dropbox account, it is automatically synced. If it sounds confusing, I encourage you to read the introduction tour on their website. Free account enables you to use 2GB storage and unlimited bandwith, so it’s not that bad. Most of all, it “just works(tm)“. And you can later upgrade to Pro versio with 50GB space for $9.99/month or $99.99/year. I am not sure about availability outside US, but I guess that’s not gonna be a problem.

You can synchronize files between Windows, MacOS X and Linux machines.There are still a few rough edges, but I guess that’s why it’s beta :)..It would be really nice if the protocol for communication with Dropbox server was made public, but I guess I am asking for too much. At least the Nautilus interface in Linux is GPLed and there are already alternative “clients” for  retrieving status of your Dropbox account.

Good thing is that you can also share files with the rest of the world. Just like you would with for example Rapidshare account. The difference? No limits on file sizes (so far, as far as I know). I just wonder how will they fight sharing of illegal data.

With services like this privacy is always a concern. You give up certain amount of privacy by uploading your files to 3rd party server. So whatever you do, be sure to encrypt your private files. Happy sharing.