Security

Some time ago system administrators bragged about how much uptime their systems had. It was seen by many as a reflection of their skills in keeping their systems up and running without needing a reboot.

There even were some web sites dedicated to displaying such information. People do like to brag πŸ™‚

Then one day someone realized that having uptime that covered multiple years was probably not such a good thing after all… People started worrying what would happen if the system actually needed to be shut down. Would it come up again on it’s own? And if it didn’t, where were the people that had installed it and were familiar with it’s particular quirks? Most had probably moved on to other positions or had even left the company.

And what about security? How many kernel exploits have been fixed since that particular version that is 4 or 5 years old? Long uptimes became increasingly unpopular.

In today’s world a long uptime is usually only found in very special installations, and not frequently in systems that are connected to the internet, the potentially lethal realm where hackers (or even script kiddies) can wreak havoc of an unpatched system in a matter of minutes (or is it seconds?).

Yes, maybe there are firewalls and IDS’ between the system and the internet, but hey, if your systems are unpatched, how up to date are your security systems?

I bet there are two kinds of people reading this. The first is the one that smiles and nods agreeingly, and the other has already stopped reading and is busy checking uptimes πŸ™‚

On November 2, 1988 Robert Morris, a student at Cornell University, unleashed the first internet worm. At least it was the very first computer worm to get mainstream attention. It also got it’s author convicted to serve 3 years probation and paying a heavy fine. The exact economic damage the worm inflicted will never be known, but estimates range from $100.000 to $10.000.00 and correspond to the estimated costs of removing the worm from all the infected systems.

According to Morris, the worm wasn’t meant to inflict any damage, but to gauge the size (number of systems) of the internet. The worm didn’t actually destroy anything, but a flaw in the way it replicated itself from system to system led it to infect the same host multiple times, and eventually take over all it’s processing power, rendering the system useless for it’s intended use.

The fact that Morris unleashed his worm, not from his own university at Cornell, but from MIT, where he is currently a professor, might suggest an attempt to hide his tracks, contradicting his clains that the worm was harmless, but 22 years later such details loose part of their relevance.

It is assumed that 10% of the estimated 60.000 internet connected systems (mostly DEC VAXen and SUN-3 systems) were infected.

22 years later, we have a lot more defenses, but we still get things like Conficker, which according to some sources infected over 11 million hosts just in the first 3 months of 2009, and Stuxnet which surfaced this very year, and has been specifically designed to attack critical industrial infrastructures, in what is possibly the first publicly known form of cyber-weapon. Some sources say it was aimed at Iran’s nuclear infrastructures, something that has of course been publicly denied…

 

Sources: Wikipedia πŸ™‚

100 million Facebook profiles is what Canadian security researcher Ron Bowes says he has collected from Facebook and published to some P2P sites.

Once again people rise in anger at Facebook, accusing it of not properly protecting their account information. Oh what evil creatures could cause such horror…

 

This man created a crawler that harvested information on 100 million Facebook accounts. There is no mention of a hack, or any privileged information being discovered. Just information that was already there… Probably already accessed and processed by every search engine in existence.

Facebook is a social network site. Hell, it is The Social Network site, and the most common trait of a social network site is to promote contacts between people. That means there has to be some amount of information visible for every user. How else can we know if Johnny User is really the guy or gal we want to befriend? I have a Facebook account and I have protected some of my information, but short of deleting my account there is always some information available.(1) My name, my picture if I have one uploaded, and any other information I did not choose to protect, will be visible.

If Mr Ron Bowes, or anyone else comes along and finds that information about me, it’s not a hack, not a security flaw, just the normal process of checking out someone’s account. It’s been done millions of times every day. I do it sometimes. Facebook even suggests we do it. It presents us with 2 or 3 profiles we might be interested in. Clicking on these users gets us access to their profile. Depending on their privacy settings we can see some information about these accounts. At the very minimum we can see their name, and little else, if they have their privacy settings set that way, or if they haven’t bothered, we can see most of their information, with fotos, and videos and whatever else they’ve uploaded. Nothing surprising there…

The only added value for Mr Ron Bowes is that he automated the process… No big deal.

And then he published that info. Here is the big problem. Did he have a right to publish that data? I don’t think so, and even if he did I still think he shouldn’t have done it. Of course I know nothing of Mr. Bowes intentions, or motives, but still it’s debatable.

Let’s face it, Facebook doesn’t have a good rep when it comes to security, but let’s not exaggerate our criticism. Let’s save it for matters that really matter, not some nonsense like this.

 

(1) There are allegations that Facebook does not delete accounts and maintains user data even when the user has asked his account to be deleted. This is much more serious that the above “problem”, because if these allegations are true, it means data is being kept against the user’s wishes. Dangerous and probably illegal…