<Begin Political Rant>

I have not done this in a while, but after watching this evening’s debate on Foreign Policy, I am thoroughly disappointed in both candidates. When asked what the #1 future National Security Threat was, neither candidate responded correctly. What answers did we get? Some fluff answer about jobs and China and a nuclear armed Iran. You both receive a grade of F on this question. In fact, the President gets an F- for saying the words “cyber security” and not following up.

Why am I so harsh on this particular issue? Let’s take a quick look at just the past two weeks:

• Middle Eastern Oil Companies Hacked
• Six US Banks Hacked
• Your e-mail is not safe either

That’s just to name a few biggies. News media not enough? How about these little tid-bits:

• In 2009 the current Administration established the nations first cyber security czar to respond to cyber threats against America
• In the same year the US Cyber Command was established to respond to cyber threats and expand the Nations capabilities in cyberspace
• 2010 Stuxnet was discovered – one of the most massive computer worms ever.
• 2012 Flame – even worse than Stuxnet

With all of this going on, please tell me how throughout their campaigns and in the debates how:

• Neither candidate discusses the cyber threat at any length
• Romney has failed to even mention the phrase “cyber security”
• Obama has mentioned “cyber security” and not expanded on it

It is an absolute shame that these candidates flat out ignore the significant threat that is posed in the cyber arena. The “major” newsworthy events that I have mentioned here do not even scratch the surface of how significant the threat is. I didn’t even mention the fact that major defense contractors are being hacked by China.

Yes, I blame these candidates for not talking about this, but I also put blame on the moderators of debates and every single journalist out there who has had the opportunity and failed to press these candidates on this topic. I put the blame on all of those undecided voters in New York who asked about all the same things we heard about all along the campaign trail. I am thoroughly unimpressed right now.

It amazes me that this is not one of the deciding factors of this election. It amazes me that no one seems to think to ask about this. It amazes me that in 2012 abortion and GLBT rights are still being discussed as if they affect the very fabric of our ability to survive as a nation and cyber security is not even mentioned.

Very frustrated right now.

</End Political Rant>

I have never been just a Software Developer.  In every job that I have had since I was young and started my own web development business, I have been put in the sales role performing functions from marketing and business development, to sales negotiation and fulfilling contracts. In every sense of the word I have been an entrepreneur. Working as a Software Developer, I never just wanted to write code. I wanted to build effective tools that made business more efficient and to do so I had to understand the business. Perhaps my experiences gave me a bit of an advantage, but it is an advantage that can be learned.

Not too long ago, an old co-worker of mine and I were having a discussion in which he described 3 types of technologists. The first type – your Level 1 technologists are effectively your soldiers. These are the developers that you can give a set of tasks to and they will march forward and write some of the most brilliant code you have ever seen to do exactly what you have asked them to do in the most efficient manner possible. Level 3 technologists are what you call your visionaries. These are the most brilliant minds in academia or a particular domain who are consistently ahead of the game. They are thinking about technologies 5 to 10 years out and are the ones who drive innovation. Level 2 technologists lie firmly in between and  spend a lot of time understanding the business use case and attempting to apply the ideas of the visionaries to today’s businesses cases.

I lie firmly at Level 2 at this stage in my career, and I can confidently say that because of this I write better software than most others at the same stage in their careers. Writing software should not just be about writing code in the fewest number of lines possible. It should not just be about finding the best algorithms for specific problems. All of those things are components of writing software that solves real world problems. We absolutely need those people at the Level 1 stage who can effectively execute when given a task, but in order for those individuals to truly be effective Software Developers they need to be able to understand the business case.

I’ve worked on many projects and one common problem that I have seen is there is always a non-technical requirements team that understands the business case who hands technical requirements to a development team. The end result is usually a software product that the end users did not want. Sound familiar? The motivation behind this is usually because there is a stigma that developers do not know how to communicate with end-users. The fact of the matter is – all of the successful projects I have ever worked on were successful because I went out and spoke to the end users to truly understand their business case.

These projects were successful because when I approached the end-users, I took off my developer hat. I put on the hat of the end-user and fully immersed myself in what they were doing to truly understand the problems they were experiencing. This gave me not only insight into what they thought the problems were and how they could be solved, but also what other problems existed and how those could be solved. As technologists, it is our job to apply technologies to domains to make the life of the end users better – not to show off how you can write a data mining application in python in less that 10 lines. After the immersion session, I took what I learned and put my developer hat back on. What you eventually learn is that most users in across domains have very similar problems, and later you can spend less time trying to understand the problems because you already know them.

It is time to stop building development teams full of only Level 1s who never become domain experts. They have a lot offer to the visionaries who may not be aware of the technical capabilities that exist right there within their own teams.  Additionally, when you have the opportunity to become a domain expert by being surrounded by Level 2s and 3s, you start to write better software. I intentionally surround myself with Level 3s in hopes that one day I will become the visionary type that everyone looks to. In order to build better software, we need to be sure that all levels are tightly integrated and understand the business domains in which they work. Otherwise, the software is being written for the sake of writing software.

For starters, I actually had not planned on writing this article… Sometimes topics just fall into your lap, and you can do nothing else, but move on them. This one is going to be a little more directed than usual as it is inspired by an event that occurred today. For my more technical readers you can skip over the next three paragraphs to get to the meat of this story while explain a few things like DNS to everyone else.

Here goes a quick crash course on the Internet, IP Addresses, Domains, and DNS. Contrary to popular belief the Internet is not run by a bunch of elves running around putting “cookies” on your machine. In actuality, what happens is your computer sends things called packets across the huge network that is the Internet.  These packets contain data with your requests or responses to and from servers and other devices on the Internet. Now usually you’ll type www.icanhascheezburger.com into your browser (i.e. Internet Explorer, Firefox, Safari, Chrome or the like) and magically get the days latest cute kittens, but how does this work?

Every device on the Internet has something called an Internet Protocol (IP) Address (for the sake of simplicity we won’t get into IPv6 vs IPv4 here today). An IP Address is effectively your online phone number. For instance, the IP address for this website is 69.195.75.87. When a computer makes a request to another computer it is actually using the IP address. But wait, you didn’t type that into your browser, so how did it know how to find me? That’s where DNS comes in. Domain Name System (DNS) is essentially the phone book for your computer on the Internet. Your computer shoots out a request and says “Hey which of you DNS servers can tell me where to find timtutt.com’s phone number?” One of them responds with a “Hey that’s me, his phone number is 69.195.75.87.” Once your computer has the phone number it can appropriately route packets across the Internet to serve you the content you want.

Now let’s look at this from the other side. When I purchased by domain from my registrar, I had to point it at some name servers and say “Hey name servers, you’re responsible for telling the world what the phone number is of the computer I assign this domain to.” Without getting into too many details – A Name records are the records that tell the name servers what the phone number is. So I add an A Name record to the DNS service telling it that timtutt.com is at 69.195.75.87, which is the IP address of the server that I’m hosting this website on. Typically, when I purchase that domain and point it to name servers, the only account that can change the IP Address of my domain is me by modifying the A Name record. All of this is very simplified, but it gets the point across.

Now that we are all caught up, let’s get to my day. A few days ago, I decided I wanted to use Rackspace’s Cloud Servers for some random development projects and such that I was working on. I’ve used Rackspace in the past, love their support, the management console is great for rapid deployment of cloud servers, full control, prices are great etc… Now I’ve got about 10 domains with Bluehost (great host btw). I wanted to move some of those over to Rackspace so I could just manage domains and servers in the same place. Before I start rambling, let me just allow you to read the conversation I had with Rackspace support earlier today (scrubbed only to protect identity of support member):

Welcome to the Rackspace Cloud! My name is <redacted>, how may I help you?
<redacted>: Hi Tim!
Tim Tutt: Hi <redacted>,
Tim Tutt: I just spoke with one of your other support members about transferring a domain of mine to rackspace cloud servers
Tim Tutt: they referenced a document, and in reading through it, I seem to be missing a step to bind a domain to my account and my account only.
<redacted>: Can you post the link you were provided?
Tim Tutt: It says I need to point to rackspace’s name servers, and then add an A name record in DNS, which is fine, but couldn’t in theory someone else add an A name record pointing my domain to their servers?
Tim Tutt: http://www.rackspace.com/knowledge_center/content/transferring-your-domain-to-Rackspace-Cloud
Tim Tutt: I’m assuming I’m just missing a step or it’s not documented.
<redacted>: Of course!ß
<redacted>: To answer your question, yes
<redacted>.: you could update the DNS which your current DNS provider
Tim Tutt: right – that was my other option if this turned out to not be a viable solution
<redacted>: understood.
Tim Tutt: so to be clear – someone with another rackspace account could add an A name record before me and point to their servers if I pointed the domain to the rackspace dns servers?
<redacted>: Correct.
<redacted>: That wouldn’t be very nice but its possible
Tim Tutt: Okay got it – Well thanks very much. That makes my decision easy.

Yes, you read that right… Essentially in using the Rackspace name servers for my domain, I am giving the ability for anyone with a Rackspace cloud account to hijack my domain. This completely floored me. How could a vulnerability so obvious exist in a provider that is so well known and trusted? To their credit, I am very impressed that Rackspace knew and were honest about this vulnerability, but it is still one that is hard to overlook.

In talking to some buddies of mine, Rackspace is not the only offender. Slicehost has a similar issue. What is really concerning here is the fact that this is not a hard issue to fix. Imposing a validation step to see if a domain is associated with a particular account is a trivial task.  Additionally, validating user ownership of a particular domain is also a trivial task so the association should also be easy.  It tends to amaze me when such large companies make mistakes like this one.  They have a number of resources at their disposal and lots of technical talent, yet they lack the ability to think about situations that compromise security.

Large organizations focus on implementing best security practices to ensure the safety and security of information and property of their customers, but the fact of the matter is even the most advanced of systems won’t help if there are bad practices in the most simple pieces of the system. Security should be focused on in every aspect of a system not just the major parts that everyone pays attention to. This seemingly small issue is actually a major vulnerability. Hopefully Rackspace and others take care of issues like this one. I’d like to see less simple issues like this out there from major providers and vendors.

So as you have undoubtedly already noticed, the site has gone through a major facelift. It took me all of 5 minutes to make the decision when I started searching for new themes. Ran across this one over at NULL.in and thought it was pretty amazing. Quick install, and boom I’m done. I think I’ll stick with this one for a bit. Not the only technical change I’ll be making, but more on that later.

You should all also expect me to pick back up on writing a lot more starting soon. I’ve got a lot of posts that I’ve had in draft for a while, that will be finished, and many other ideas in the works. Focus will remain largely on the technical side, with some of my other rantings here and there. We’ll also have a few special guest writers, but again… more on that later.

For now, enjoy the new theme. Re-read some old stuff, and be on the look out for the new things coming.

Project managers are process driven people. In fact, without the processes they put in place, project managers would be out of jobs. When it comes to software development, these guys make sure developers stay on track and don’t run down paths that have nothing to do with customer requirements. Sadly, developers are known for this. Something about personalities… I still don’t get that one. If more developers learned how to understand and speak to customers, project managers would be obsolete…

I digress – The point here is, the Agile Software Development methodology, while it has it’s benefits is a tool for the project managers of the world to help enforce a process that actually is not as “agile” as it sounds.

Don’t get me wrong – for initial delivery of projects, the agile methodology has it’s benefits, but when customers hear the term “agile” they are thinking something a little different than what your local IT organization is thinking. A customer hears a PM sell them on the “agile” development team and thinks, “Once we’ve got our application, bug fixes and improvements will come immediately. This team is dedicated to my project and I can call upon them at a whim for my needs”

As a member of several of these development teams, let me break it down for you. With the agile methodology, any single customer is only as important as their initial delivery. Every development team in any decent sized IT organization has several customers to deal with. Each one of those customers is just as important as the next unless this is the first time you have encountered this customer.

The first time you encounter a customer, that customer is Priority 1. Your team (or usually just the PM and lead developer) sits down with the customer, gathers requirements, and sets a schedule for the development team to follow. This schedule is usually designed for delivery of software within 3 to 6 weeks. From that point, until the end of the period, that customer’s requirements are the only priority because the goal here is to win them over with the speed at which your group can deliver product. You’ll have your daily scrums to discuss any issues that your testers have found, you’ll prioritize specific features against user requirements, and you’ll have two or three meetings on the design/architecture of any particular feature, and somewhere in between, you’ll find time to actually write code. Usually, in a last minute push, your team somehow, miraculously pulls this delivery off just under the wire and the customer is elated.

This will last right up until your customer finds the first problem with the product you’ve delivered – so usually about two hours. Congrats – you’ve just finished your first iteration of the product and now you’ve been tasked with more to fix or improve. Lucky for you, your PM is there to block all of that non-sense. Now that the system is in production, a bug or new feature has to be put into your issue tracking system which will later be prioritized and scheduled against every other issue from every other customer .

This is the point where the agile method ends up being not quite so agile for the customers at least. Sure, your development team is running through about 50 features every 6-week Sprint. And yes, you are spending 50+ hours get all of the tasks you have in this Sprint done, but no single customer is feeling the love because you’re not delivering in an agile enough way specific to their project.

Look at it from the customer’s perspective. You have moved from developing and delivering a full blown production system in 6 weeks to now delivering 2-3 bug fixes and 2-3 feature improvements (of the 30 they’ve asked for) every six weeks. You no longer appear to be this agile team that they were sold on. In a lot of cases, the application is turned over to an operations team that doesn’t know what it takes to keep the application running in production and can’t fix bugs as quickly or as effectively as the development team.

The new and emerging trend is the concept of a “Dev-Ops” team. “Dev-Ops” teams are development teams that are integrated with the operations team to effectively manage issues as they occur in production. I find the trend interesting as a few of the teams that I have been involved in have been doing this for a very long time now. We’re able to mitigate production issues quickly and effectively because our development team is also the operations team. We are not bound by the order of the Scrum and Sprint. It’s a process that seems to work well… that is until you decide to form a process around it, which I do not doubt will happen.

Process is important and the Agile Software Development Methodology is not all bad, but looking at it from the customer perspective it could be more “agile”. I’m in favor of these dev-ops teams, mostly because in my experience they seem to work more effectively for the customer, and if you ask me, how the customer feels is better than any process that makes an IT organization look good.

“640K ought to be enough for anybody” – This quote from the 1980s which may or may not be attributed to Bill Gates is quite laughable quote these days. We live in a world where exabytes of data isn’t even enough to classify the amount of data we will consume as a world in the next five years. For the more non-technical readers out there a exabyte is roughly equivalent to 9×10^15 a kilobyte. To break it down just a little more, that’s about 10,000 terabytes of information.

Twitter has about 100M updates per day. We won’t even begin to guess how many updates Facebook has. Blogging is a ubiquitous term so there are plenty of those out there. What I’m getting at is there is a lot of data out there just waiting to be analyzed and analyzing data at these volumes is no trivial task.

Before I end up in a rant about big data let me get to the point. Analyzing data at those volumes takes time. Let’s look at Twitter for instance – 100 million tweets per day. Tweets are relatively small records – 140 characters plus any additional meta-data about the user and retweets and such. Let’s say it takes about 1 millisecond to process a single tweet. 1 millisecond 100 million times is 100,000 seconds, which is about 1667 minutes, which is about 27 hours. So at 1 millisecond per record it would take just over a day to process 1 day worth the tweets. My point – 1 millisecond is too slow.

Enter “the cloud”. Cloud is probably one of the most overloaded terms in the technology space today so let me apologize for using it and explain what I mean by the term. I’m talking about horizontally scaling your architecture in order to process these large volumes of data in parallel.

You have to be smart about how you do this. If you have a web service that can only handle two requests at a time and takes 600ms to process data, scaling out to hundreds or thousands of servers does you no good. The bottle neck still exists at the web service.

We are no longer living in the days where 1 millisecond is considered fast. We live in a world of instant information. 27 hours to process yesterday’s data is unacceptable.

So how do you fix this? You optimize your processing algorithms. This is my call to software engineers everywhere to start optimizing your code and prepare for scaling so that your code meets the demands of today and tomorrow. Eliminate bottlenecks in your code and make those that you cannot remove scale horizontally. Stop accepting “good enough”.

It’s a tall order coming from a small fish low on the totem pole. There is a completely different mindset that software engineers have to switch to in order to achieve this. You have to stop thinking about solving problems in a single threaded manner and move to thinking about problems in parallel.

It’s a new age with new rules. Take the advice or leave it, I’m just a guy that deals with big data on a daily basis.

I’m going to start this one off by saying that I know I am setting myself up here for a full onslaught of attacks, but there are some things that cannot be left alone. That being said, please go watch this video before reading the remainder of this article.

To members of the “hacker” community, this post actually may come off as a little sacrilegious to some, but I ask that you hear me out before making any quick judgements. It is very easy to be sympathetic to this group given what it claims it stands for. This video is actually propaganda at it’s finest. It appeals to every soul that sees the government as the big-bad attacking some small innocent group that just wants to be heard. It’s brilliant in all honesty, but it is nothing more than propaganda.

I’m not going to sit here and argue about legality of what they do – that would just be silly. What I will contest is the questionable morality and hypocrisy of what is being done. I have no problem with a group or person taking a political stance and discussing or openly debating it. I have no problem with a them enabling others to speak out for themselves (all things that Anonymous has done has a hacktivist organization). Where I begin to draw issue is when any organization decides to take action that is damaging to others, whether that is the opposition or innocent bystanders caught in the cross-fire.

The organization has been known to help out in cases where people would have not been heard had Anonymous not given them the ability to speak, but Anonymous supporting an organization like Wikileaks is when I first began taking issue. While Wikileaks claims to be all about exposing the truth that “the people to deserve to know” – what they are actually doing is putting lives at stake. Without getting into the politics behind it all, I’ll just say this: when what you are doing puts innocent lives at stake, you are no longer acting for “the greater good”. At that point, you are self-focused on a goal. Morality says this is wrong.

Anonymous has been known in the past for it’s usage of DDoS attacks and defacing of websites to shutdown the voices and services of others. They silence the opposition. The justification that they use is just silly. Claiming that “Arresting somebody for taking part in a DDoS attack is exactly like arresting somebody for attending a peaceful demonstration in their hometown” is a wildly false statement. Performing a DDoS attack, or defacing a website for comments that are not favorable to your cause is more like bombing and abortion clinic, or spray painting defamatory remarks on your neighbor’s home.

In some cases this can be acceptable (though ill-advised and illegal) – for instance when you are defending yourself from being attacked as they did with HBGary Federal, but attacking groups that have no means of defending themselves from such attacks, or the means to retaliate other than to involve the law (which you then attack them for) is hypocritical and immoral.

Why did I feel the need to talk about this tonight? It is no secret that support that the hacker community. I even support the ideals that they claim to stand for. I support the enabling of groups that have no ability to speak out for themselves.  What I do not support is the hypocrisy and immorality of the actions that the organization tends to take.  As it turns out, what they end up being is no better than those that they claim to stand against.

That’s my venting for the evening. Bring on the attacks.

There’s an old saying, “ignorance is bliss”, that I’d like to add an addendum to today. The quote should be “Ignorance is bliss, until that ignorance hurts you”. In the IT world we have the tendency to build systems to the specifications provided by the “customer”. I quote customer like that because although there is usually a requirements group that provides the specifications to us, the real customer of the applications that we build are the end-users. (As a complete aside -  I’ve never been a fan of requirements groups. They rarely get the customer requirements right, and can never really explain why the end-user “needs” something. Another conversation for another day.)

I bring this up because usually what happens is a number of requirements are defined, the system is built to those specifications, the end-users are given a training on the most common features, and are pointed to documentation that they will never read for more advanced features. Even worse is when a user is “voluntarily” enrolled in some system as a part of some contract that they signed. The worst case is when a user signs up for a system, and is completely unaware that their information is also being used by several other systems. Users are often times harmed by not knowing how to protect themselves in these systems, or when they do not know what is in the realm of the possible.

Here’s just one specific example. Recently, I was planning on getting a birthday present for a friend of mine from college. I knew she was going to be at her parents place for her birthday, so I wanted to have the present sent to her home. The problem with that was I didn’t know her home address. Virginia Tech has a system that the students typically refer to as “Hokie Stalker”. You can search for a person by name and it returns their local address, home address, major, phone numbers, and e-mail address if they have not elected to suppress that information. The system is actually a public system, so anyone can go to the Virginia Tech website and search for any student and get all of that same information.

Needless to say, she got her present, but was curious as to how I got her home address. I explained it to her, and then explained that she could suppress it by clicking a checkbox in her account. The problem here was two-fold. She was unaware that I could even get that information and also unaware that she could hide it. Luckily, I was a friend just trying to send a gift, but the situation could have been a lot worse. Just by having a name, I could launch a very effective social engineering attack on some unknowing student. Knowing a major, a home address, the school they attend, and an e-mail address, I can make myself sound like a valid authority and request additional information.

A more interesting example deals with security in browsing the web. It is common these days that users know to look for the little lock in the bottom of their browser before entering personal information or credit card details, but they don’t really understand what that lock means. They assume that if the lock is there, then the site is secure and they can safely enter information. They also know to look for the “https” in the URL bar of their browser. While they know to make these checks, one thing that users are still very bad about is reading pop ups about security certificates. A user is trying to get to a site and this annoying pop-up prevents them from getting there – the auto-reaction is to click “Confirm Security Exception”. The user does not understand that a website can sign it’s own certificates and that if they accept these certificates, the browser will do as they say and treat this site as trusted thus showing them that lock that makes them feel all warm and fuzzy inside.

Browsers have done their part in attempting to explain to users what they are doing, but unless the user is security conscious, they don’t bother reading it. Some things are just beyond our control. Sure we can provide and require certain security trainings on the job, which hopefully employees will take and apply in their personal lives, but not every user of the Internet is granted these learning experiences. There are several other examples of users being unaware of how systems actually function and how these things can hurt them. Facebook privacy is one that we’ll leave alone today because it’s almost like beating a dead horse with a stick, but the point is users lack of awareness can and will hurt them.

Whether it be someone using information the user could have hidden for malicious social engineering attacks or a website claiming to be a user’s bank by providing a self-signed SSL cert, users can and will be attacked when they are unaware of what is possible. The question is how do we protect them from every threat? Productivity would certainly be lost if we explained every system in full detail to every user. That is just not a feasible solution. Perhaps the answer lies in how we present documentation to users. If documentation is hidden underneath layers of pages, then we can expect that users will not find it. Should we make documentation apart of the entire user experience with hints and tip boxes? Would that deter users from using systems? It’s an interesting question that I do not have the answer to. I do know, however, that as long as users remain ignorant of certain features of the systems they use, they are more likely to be attacked.

Over the past week, the blog-sphere of the computer security world has been ambushed with some serious discussions about whether all of the talk going in the nation about the threat cyberwar is nothing more than hype. Some would argue it is being used as a scare tactic to push political and agency agendas, while others would argue that it is a valid and prevalent issue. In the world of information technology, this is often times an issue – important concepts, ideas, or issues are over-hyped and then dismissed. In some cases dismissing technology hype completely is valid (see NoSQL), while in others it could be very dangerous.

Richard Bejtlich over at TaoSecurity summarizes the argument of those that believe it’s all just cyberhype nicely:

Their argument is simple.

1. The government wants to control the people, or obtain a resource, or pursue some objective that could not be reasonably achieved if transparently presented to the citizenry.




2. The government “propaganda machine,” sometimes in coordination with “the media” and “big business,” “manufactures” a “crisis” whose only solution is increased government power.




3. The people acquiesce in order to preserve their safety, and the government achieves its objective

It’s not too far-fetched to believe that politicians and intelligence agencies have some agenda of their own. It is also not too far-fetched to believe that the government uses propaganda and scare tactics to push those agendas – but that does not mean a threat does not in fact exist. Bejtlich goes on in his article to state that the cyberwar is in fact real, regardless of if it follows the traditional definition of “war”. In a followup article, he continues to support his argument by using a variety of political frameworks for defining what actually constitutes as war.

While Bejtlich obviously believes that cyberwar is in fact real, others such as renowned security professional Bruce Schneier has a different take on it all. In one of his recent articles, Schneier argues that the threat has been exaggerated. A number of government officials, have been quoted as saying that the cyberwar is a real and prevalent threat. According to Schneier, “…the entire national debate on cyberwar is plagued with exaggerations and hyperbole.” Schneier goes on to explain several examples of the overuse and misuse of the term cyberwar and states that we are in fact not a cyberwar. He believes that we should have a Cyber Command and be prepared for war having improved cybersecurity, but says that there is no more of a threat of a threat of a cyberwar than there is a ground invasion.

While Schneier presents a few valid and convincing points, I largely agree with Bejtlich, in that the cyberwar is in fact a real and an important threat that most certainly needs to be addressed. Yes politicians use rhetoric to sell the public on the need for change in policies. And yes agencies do oversell the threats to push their personal agendas. With no real definition for who has power in the case of cyber attacks, it is no surprise that every one wants control. Even if the threats are somewhat exaggerated, it does not mean the threats do not exist.

Attacks on classified networks, whether these be denial-of-service attacks or attacks used purely to obtain information are real threats. If it is known that our networks are vulnerable and not defended, a foreign agency can use this fact to their benefit to prevent communications when we really need them. It is surprising that Schneier would dismiss the attack on Estonian websites in 2007 as “simple hacking”. A denial-of-service attack, while simple in execution can cause a tremendous amount of damage when mission critical services are interrupted. Even if networks are being attacked as simple proof-of-concepts, it poses a real threat. Reconnaissance is the first step in covert warfare. This fact does not change in a cyber arena.

I feel it is hard to argue, knowing that our networks are being attacked on a regular basis (regardless of where the attacks are originating from), that there is not a cyberwar going on. It is imperative that we defend our networks, and imperative that we understand the consequences of failure. This is not to say I fully agree with the media and politicians who exaggerate the actual threat. There is no question of whether or not the threat has been exaggerated, but that does not mean we should entirely dismiss the threat or that a cyberwar does in fact exist.

While the death of privacy may seem like a far-fetched concept, particularly in the United States, it really is an idea that we should be paying attention to.  To be perfectly honest, it was an idea that even I dismissed just a few months ago, but it has slowly been beginning to scare me a little more as I pay more attention to the generational differences.

What really sparked this paradigm shift in my line of thinking about the security of privacy was a conversation I was having with my good friend John a few months ago.  We were walking through our local Kroger late at night as college students tend to do and discussing the uselessness (or usefulness as my friend argued) of Facebook Chat (since then you can now integrate FB Chat with clients so I use it all the time… They were listening to my complaints). I was explaining how I never use it because it requires me to be locked in the browser, and there is no way of really being notified of a new message if I happen to be on another desktop or window etc… I’ve always been a big fan of clients for services.

My friend responded to me that younger generations find tremendous value in it due to the fact that they do not see any reason anyone would ever use a “Screen Name” to talk to their friends.  For those of you reading this wondering what I’m talking about, it was a trend made popular by AOL’s chat service from back in the 90s. I brought up the anonymity on the net argument, and his response was a simple one that caught me off guard:  “People don’t care about that anymore”.  I was unable to respond to that mostly because after thinking about it for a few minutes I realized it was true.  Even back in my high school days, I had friends who would post everything about their lives on the internet without thinking about potential repercussions.

The Social Networking Problem

The whole idea bothers me really.  With all these social networking sites like MySpace and Facebook, and blogging on the rise, people have this tendency to share everything. Then we have Twitter and now you have people constantly posting about their lives.  Don’t get me wrong, these tools are great, but is it really okay… is it really safe for us to be so willing to share everything about ourselves to the world?

I personally hide myself as much as possible on these sites. I use them for keeping in touch with people that I know. Not for meeting random people on the internet. You still can’t trust that the person on the other end is who they say they are. Even with me only adding or sharing information with just my friends, I still limit that for several reasons: 1) My prior statement remains true – I can’t verify that my friend’s account hasn’t been hacked, or if it’s being used by a friend that they shared a password with (another point we’ll come back to), 2) By putting information on these sites, I’m putting a lot of trust in the site that is hosting the information. Facebook openly sells information. At a point, any Facebook employee had access to information for ANY user. That’s too much trust.

Another little known fact about Facebook -  they literally track and keep a history of everything you do while on the site. Every page view, picture view, wall post, message sent, even attended, group started, ad clicked, chat conversation had is logged and stored. With the right kind of analysis on this information, you could generate a pretty accurate profile of a person.  To be honest, I wouldn’t be surprised if Federal agencies aren’t already doing such things. Big brother isn’t the government, it’s Facebook.

Location Based Services

Facebook isn’t the only criminal here though… Let’s talk about Twitter, Google, and the iPhone for a minute. Perhaps it’s just me, but Location Based Services seem like the most unsafe idea ever. Yes they provide a level of convenience and context to situational events, but there is one major problem with the implementations that we’ve seen with the applications that have been produced – They give people the ability to stalk you. Think about it. Google Latitude is built for broadcasting your location to your friends (or the world if you want). Twitter has location based services so when you tweet, your location can also be shot off (don’t worry it’s an opt-in system… which is even scarier considering the number of people who use it). The biggest criminal, however, has got to be Foursqaure.

Foursqaure, for those of you that don’t know, is an application that asks users to share their location. The real crime is the way in which they convince users to do this. If you share your location, every time you go back to a particular store or spot, you “check-in”.  If you check in more times at a particular location than anyone else you can become the “Mayor” of that location! How fun! Except for now that you’re broadcasting your location, and where you spend most of your time, if I want I can build a nice profile of when you’re not at home so I can rob you, or stalk you without ever having to leave my home. Grats!

Grocery Stores

Grocery stores are also adding to the privacy problem. Particularly in this current economy, it is really easy for grocery stores to get you to sign up for these free cards that give you absolutely great discounts on items you buy in stores. It is very uncommon to find a grocery store that doesn’t offer these. It wasn’t really apparent to me what kind of implications this had on privacy, however, until about a year ago. I received a phone call from my local Kroger informing me that Nestle Toll House had recalled a number of its products (cookies) due to some issue with them (I don’t remember specifics) and that I was receiving the phone call because I had purchased these products in the past few months. My train of thought went something like this: “Oh wow, that’s awesome that they called me to let me know… I hope I don’t get sick… wait a second how did they know I bought those cookies and how did they know how to get in touch with me…”

Then it hit me. I signed up for one of those cards when I moved into the area because I wanted to get those discounts. Part of signing up is providing your phone number (which they say is so you can not have the card and still receive the discounts), but it actually serves multiple purposes. They want to be able to contact you. You receive ads in the mail because you also provided your address. They’re also selling your information to advertisers. We don’t care though, because we get those discounts.

Generation Z

For starters, this isn’t my label. This is the label you were given based on when you were born. Generation Z refers to all of those born between mid-1990s through 2009. There’s a reason the theme at last years Defcon was blame the 90s. It’s funny… I have younger siblings that were born during this time frame that (at least for the moment) seem to know better than to share everything about themselves on the internet. That know better than to give a boyfriend or girlfriend their passwords. That could also be due to the fact that I shove security down their throats on a regular basis, but that can’t be proven.

Fact of the matter is, a lot of these Gen-Zers are out there doing exactly those things that I mentioned. They do so without thinking about the repercussions of sharing everything about yourself with the world. Without thinking about the damage that can be done by some disgruntled friend or ex. They’re being led by bad models of privacy and just accepting them because they simply do not know any better. Is this due to a lack of education by my generation? Generation Z is following along with these bad models of privacy which are essentially killing the concept slowly, but surely.

CEOs and Privacy

Know what’s really scary? When CEOs don’t think privacy matters. Especially CEOs who run companies that pretty much own every piece of data that is shared on the internet. I’m looking at you Eric Schmidt and Mark Zuckerberg. Let’s start with Zuckerberg… Mark is a young twenty something CEO who started the most used social networking site ever. The site has exploded since its inception and now gets more traffic than even Google. The site I’m referring to of course is Facebook. Facebook has been under a lot of heat in the past (and even today) about their privacy policies. They keep changing the policy so that information is shared, and can be sold. As I said in another post, this is nothing we shouldn’t expect from Facebook as a company because it is just that -  a company.  My issue comes when CEOs such as Zuckerberg say things like “We view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are” when his views of those social norms are slighted towards the benefit of his company.

Perhaps that is a little harsh. Let me phrase that a little differently. Zuckerberg claims that the social norms of what people will share and with whom they will share that information have changed, but the fact of the matter is Facebook has led that change. Over the years, every time Facebook updated their privacy policy, there was an uproar of sorts from their users (or at least the ones who cared to pay attention). Leading the masses of sheep who aren’t paying attention into a dark hole and claiming that it is the social norm is a tad twisted.

Even worse than Zuckerberg, however, would have to be Eric Schmidt. Schmidt is Google’s CEO, and in an interview earlier this year in response to a question about whether or not people should trust Google as much as they do he says “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”  Now, that would almost be a valid statement except for the fact that it just isn’t.  There are a million and one different ways I could blow that statement out of the water, but we’ll save time and skip that. [Insert your own example here]. I gotta give Schmidt credit though – at least he doesn’t lie. “But if you really need that kind of privacy, the reality is that search engines – including Google – do retain this information for some time.”  When the CEO of the company that literally owns every piece of your life (think about it  – maps, e-mail, chat, code, everything…) is bold enough to just tell you, “we keep your information, your privacy doesn’t exist as far as we’re concerned”, maybe this whole notion of privacy is becoming a novelty. 

Is Privacy Dying Before Our Eyes?

I would like to think that at some point, people will begin to realize how much they are really exposing to the world and how dangerous it is. I would like to think that these past few years will be something that we look at as a quick slip in the future. What scares me the most is the fact that I know what I personally can do with the information people share out their on these sites… And I’m no Kevin Mitnick. I’m just some guy who happens to think about things from a security standpoint. If I were a worse person, lives could be destroyed and identities stolen very easily.

By all accounts, privacy does seem to be slowly dying. I hope – for all our sakes – that there is some major awakening that reminds people why privacy has existed in the past. Why it is not always best to share everything about your life with the world. I am not saying we need to “fight the power” and destroy Facebook, Google, Twitter and the like. They are all great tools – but only when used in safe manners. If privacy dies, we’re welcoming a world of chaos with open arms.