Hacking Gmail, Amazon, and Apple

Hacking Gmail, Amazon, and Apple – Problems with Humans and Cloud Security

Re-posted from SEC4Lib:

On Tue, Aug 7, 2012 at 8:41 AM, Blake Carver <btcarver@lisnews.com> wrote:

Here’s a follow up on that story from yesterday. It’s a good, short, read and has some really good lessons. I know I need to make some changes now.

“How Apple and Amazon Security Flaws Led to My Epic Hacking” http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

“I should have been regularly backing up my MacBook. I shouldn’t have daisy-chained two such vital accounts I shouldn’t have used the same e-mail prefix across multiple accounts I should have had a recovery address that’s only used for recovery without being tied to core services. I shouldn’t have used Find My Mac.” –

To me, this is the result of short-term profit maximization at the corporate level mixed with the path of least resistance at the user level.  Companies can operate cheaper, more efficiently up to the point of the hack in the cloud and maximize profits.  Users don’t have to do too much to enjoy the convenience of the cloud up to the point of the hack.  Yet, with each successful hack, the knowledge of how to hack becomes known globally – greatly increasing risk to all users and all companies using the cloud.

When I did a quick security review of Ocean State LIbraries, Sacramento Public Library, and The Library Connection last year, even fundamental security measures were not being taken:  http://bestofpublib.wordpress.com/2011/05/15/pubic-library-security-insecurity/

Library Fight Club

Fortunately, OSL did step up their security a bit with pins, but it created inconvenience to the administrators and the users.  One of the librarians who witnessed the events leading to the change told me that the battle for security over short-term convenience was ugly but she did not want to speak about it publicly. I can understand that - given the justifiable paranoia over having the circulation records used for identity theft and no one wanting to take responsibility.   But, all it takes is just a bit of laziness at the top levels and bad policy to put everyone at risk. And, unfortunately, the first rule of Library Fight Club is not to talk about Library Fight Club so everyone does not know of the risk. Knowledge of risk is limited to insiders who may not know how to manage risk and insure accountability.

I think the real point of the Mat Honan article  is that the writer was not dumb – he is most likely in the top 2% of people who understand technology.  So, every ‘error’ he made – which would not be considered errors by the other 98% of us - is a risk.

The people working in libraries most likely represent the upper 30 or 40% of people who understand technology simply by being surrounded by books and publicly paid for technology.  But, as gatekeepers to those resources they create the impression of expertise.  Some are experts, but really most are not.  Standing next to a pile of books does not mean you read them.  Being able to turn on a computer does not mean you know how it works.  Being responsible for information security does not mean that the information is secure.

What we can take from the Mat Honan article is the humility of the author in showing that he failed himself and should have known better.  There are many, many people in administrative positions including libraries that are responsible for information security who would never admit that they know not what they do.  There are many, many people in corporations that will never admit or may not even know that their systems have been or are compromised.  All we can hope for is strong laws that mandate reporting and at least a few people such as the author of the Wired article to own up to what they do not know as an example for the other 98% of us.

It used to be that you would need to be able to configure Satan and really have a strong grasp of command line interfaces and operating systems to be a hacker.  You really would need advanced knowledge and some fairly sophisticated resources to hack. Not any more.

Backtrack : http://www.backtrack-linux.org/  can be installed very easily and used by novice hackers with ill intent utilizing easy to follow step-by-step instructions on Youtube.  Just using one of my high gain antennas with a little laptop, I can war drive or sit in my house and see many, many exploitable WIFI services locally with little or no protection. I could crack a WEP in about 2 minutes, but so many people now rarely even bother to protect their WIFI. They are just happy that it works out of the box.  As an ethical hacker, I will never exploit those vulnerabilities.  But, the time when exploitation was limited to those with wilful intent, advanced knowledge of computer systems along with strong social engineering skills has passed. We are now in an era where a hack can be easily accomplished with a bit of simple social engineering (SPOKEO anyone?), the intent and common access to a computer. In fact, with very little knowledge about computer systems it would be very easy to inadvertently exploit a system using Backtrack without intent.

I think one of the upsides of less need for advanced knowledge is that we are now seeing powerful cases being built against companies from the digital forensic side where they are doing some pretty sleazy things at the highest level:  http://www.sfgate.com/business/bloomberg/article/Standard-Chartered-Falls-Most-in-24-Years-on-N-Y-3769142.php  In the paper age, the information about these sorts of activities was much easier to control and compartmentalize.  Automated computer forensic tools can greatly simplify investigation without requiring advanced degrees in computer science to operate.

*******************

Robert L. Balliot

http://linkedin.com/in/robertballiot

http://bestofpublib.wordpress.com

http://www.facebook.com/robert.balliot

http://oceanstatelibrarian.com/contact.htm

*************************************************

Please join us on BestofPublib Facebook

The Publib Archives

The Publib archives from the Webjunction listserve are available here: Archives  (Wait – they really aren’t anymore).

Archives compiled after Dec. 7, 2011 are available here: Archives

Free Gutenberg!

Actually, it is a free Gutenberg the Geek -

Update:  Gutenberg the Geek is no longer available for free – it is back up to 99 cents.

Gutenberg Press

Stop the presses! BuzzMachine.com  blogger Jeff Jarvis - author of What Would Google Do? – is offering his Kindle Single – Gutenberg the Geek today (4/27/12) for free through Amazon.

Gutenberg

It was well worth the 99 cents I spent for it and gives a nice synopsis and comparison between Gutenberg as an entrepreneur and our high-tech entrepreneurs of today.

 Free Gutenberg! : http://www.amazon.com/dp/B007EI62I0

The Broken Publib Listserve or Control through Incorporation

I have come here not to bury Publib, but to praise it.

Ghost of Publib

Last year, OCLC announced that they would graciously host the popular Publib listserve.  With 10 thousand + subscribers representing libraries throughout the world, it certainly represented a win/win situation.  OCLC – which sells its products to libraries would host and subscribers – who buy products from OCLC could continue to subscribe.  OCLC would benefit from the feel-good PR and the ability to data-mine and Publib subscribers could continue to enjoy the communication resource they have contributed to since the early 1990s.

While being hosted by UC Berkeley and Webjunction, Google and Yahoo! and all of the other major search engines readily indexed the discussions by Publib contributors. Even now, a quick engine search of almost any topic regarding public libraries renders a link to a Publib posting from previous years.  

But, all of those links are now broken and the provenance of indexing has been destroyed.  Although you may still view cached files, the only way to get live files is to go behind the wall set up by OCLC.  Access to the root directory is by subscription only, so the search engines would no longer index the content:  http://listserv.oclc.org/   So, everyone who searches any topic ever posted on Publib must now go through OCLC and search the files that they exclusively control. 

What a great benefit this must represent to corporate interests of OCLC! Thousands and thousands of postings on every topic regarding public libraries, created by uncompensated authors, and they now control all of the content and its indexing for almost no associated cost and can monitor and data-mine all usage by the library community.     OCLC established and litigated ownership and control of Dewey Decimal Classification (DDC) in OCLC v The Library Hotel  and was recently accused of antitrust by SkyRiver and Innovative Interfaces.  Does OCLC now effectively have intellectual property rights to all of the work by Publib contributors?

Hosting a listserv is really not a big deal.  It is fairly low level technology and relatively easy to manage.  With a bit of server space, Open Source programs such as Mailman can be set up that can manage a huge number of subscribers:

http://wiki.list.org/display/COM/Organizations+that+use+Mailman

Hosting by a non-corporate entity such as a library school or a large library system would have made much more sense.  The original iteration with UC Berkeley hosting nested the conversation in a bastion of free speech.  Is removing and blocking indexing censorship? Is vetting all new subscribers appropriate?  Does the ability to restrict access represent ownership? Does hosting a listserve  and controlling access to everything previously written grant intellectual property rights and equate to ownership? Is Publib just another example of intellectual outsourcing?

Time will tell. But, at this time Publib is a ghost of what it once represented. 

Please join us on BestofPublib Facebook

The Publib Archives

The Publib archives from the Webjunction listserve are available here: Archives  (Wait – they really aren’t anymore).

Archives compiled after Dec. 7, 2011 are available here: Archives

Happy Birthday Bill!

William Shakespeare is 448!

Thou doth not look a day over 440 ~ Party on and Party Bard! 

Today, April 23, 2012 William Shakespeare would be 448.

Shakespeare Festivals and Theaters around the US:

Shakespeare Fellowship

 

Coming Soon . . .

Dear Publib friends:

We will resume the publication of Best of Publib reviews of the listserve topics at the end of this semester with a special edition covering January through May 2012.

If you have recommendations for important strings of content that were well vetted on Publib between January and May, please contact me and we will process it at the end of May.

I’ll be back . . .
*******************
Robert L. Balliot
http://linkedin.com/in/robertballiot
http://bestofpublib.wordpress.com
http://oceanstatelibrarian.com/contact.htm
*************************************************

Celebrating Charles Dickens: Nicholas Nickleby (1838)

The pain of parting is nothing to the joy of meeting again. -  Nicholas Nickleby – Charles Dickens

Nicholas Nickleby Cover

A young gentleman must earn a living when his father’s death leaves the family bereft of financial support because of a bad investment.  To support his mother and sister, he accepts a position as a schoolmaster in a country school and is horrified about what he sees.  After an incident at the school, the young man leaves with a new friend.  This is the story of Nicholas Nickleby, who is the title character of Charles John Huffam Dickens’s third novel.

Dickens first wrote Nicholas Nickleby as a serial in 1838. Hablot K. Browne (known as Phiz) contributed illustrations for the story.  The following year it was republished in book format. A second edition was published with revisions in 1848.

As the novel progresses, Nicholas finds another position as a private tutor and then works in a theater company owned by the Crummles, a husband and wife team.  (Nicholas isn’t the only one working–his sister Kate briefly works too)  When an urgent situation arises, Nicholas and Smike immediately leave but not without a dramatic personal farewell from Mr. Crummles.  Nicholas’s new position is as a clerk in the Cheeryble brothers’ shop; the brothers are merchants.  All the while his uncle, Ralph Nickleby, becomes obsessed about ruining his nephew…

Chimney-Scene--- by 'Phiz'

If you have read any of Dickens’s novels, he writes about serious topics. For Nicholas, one especial topic touched on is the notorious boarding schools of the day–something Dickens observed first hand. Poverty and greed are other recurring themes.  There also are plenty of comical scenes throughout the story.  For instance, coming down a chimney is no way to make a neighborly impression!  Romance is also part of the plot line.  Nicholas develops feelings for Madeline Bray and intervenes for her during a crucial moment in the story.

Nicholas Nickleby Illustration - by Hablot K. Browne

This was my fourth Dickens novel.  In junior high school, I read Great Expectations, Oliver Twist, and Tale of Two Cities for fun. I bought Nicholas Nickleby (published by Penguin Classics with a 2003 copyright date) at Borders three years ago, read a few chapters, and set it aside.  This year is Dickens’s bicentennial birthday so it was a good reason for me to resume reading the novel.  Although the novel is long, I enjoyed it.  What’s a Dickens novel without memorable villians, eccentrics, and comics? You’ll meet plenty along the way.  At times there were slow parts, but it didn’t detract from the story. I enjoyed seeing the illustrations as I read.  For the Penguin edition, Mark Ford wrote the introduction, and a Dickens chronology is included. Appendixes and explanatory notes follow the text.

Like Dickens’s other novels, Nicholas Nickleby has been adapted for TV and as a movie.  It was a TV mini series in 1947 and 1982. The latest TV adaptation of Nicholas Nickleby was in 2001.  In college, I watched it on Bravo one night and enjoyed it. (We had good cable service for a small college!) In this adaptation, James D’Arcy stars in the title role, Sophia Myles as his sister Kate, and Charles Dance as Ralph Nickleby.  It was this 2001 adaptation that introduced me to the novel.

In 2002, Charlie Hunnam starred as Nicholas in a movie adaptation of the novel. Of course, a lot of the novel was cut for the movie, so you don’t get the full story.  I have seen this too and prefer the 2001 adaptation.

Nicholas Nickleby is still available in print and online for your reading pleasure.  If you read this novel years ago or haven’t read it yet, do pick it up and enjoy!

Link of interest

Charles Dickens Museum: www.dickensmuseum.com/

Please join us on BestofPublib Facebook

The Publib Archives

The Publib archives from the Webjunction listserve are available here: Archives

Archives compiled after Dec. 7, 2011 are available here: Archives

Give Forward

I have tried to provide support for library fund raisers in the past on Best of Publib.  But, this one is personal.

My niece Jackie is being treated for cancer at Duke Children’s Hospital  and her family needs help meeting medical expenses.  If you would like to contribute, or know of someone who would like to help – they have just set up a website to accept donations through the non-profit fund raising entity Give Forward .

http://www.giveforward.com/jackieballiot

Thank you for your help!

Sincerely,

Robert L. Balliot