11 April 2008
In a previous post, a friend and reader asked some great questions. I answered about half of them here. Here’s round two:
1) You have mentioned a couple times data about Firefox and IEâ€™s security vulnerabilities and patches. Could you explain what a security vulnerability constitutes in simple to understand terms? What exactly is vulnerable? Are these vulnerabilities constantly changing and being patched? At what rate?
A browser is a piece of software that interprets the languages of the internet and displays them in a way mere humans can understand. Clever coders can sometimes induce browsers to interpret a particular web language in a way that is harmful to you. For example, malicious code on a website may tell a browser to download and install a virus without telling you. Of course, browser companies (like Mozilla and Microsoft) usually try to eliminate these vulnerabilities when they are discovered.
Also, browsers can have important and well-travelled connections to a computer’s vital file systems (Internet Explorer 6 was famous for this). Imagine two paths into a file system, one of which is guarded by stern-looking toughs and another where old friends are waved through. Some badware programs have found that they can sometimes sneak in the second door if they hide under the cloak of an old friend of the guards.
As with all other security threats, browser vulnerabilities are constantly changing as attackers develop new techniques and defenders try to counter them. Each browser manufacturer patches vulnerabilities at different rates, and new threats pop up as the relative success rates of different techniques like phishing, trojans, keyloggers, viruses, and spyware shift.
2) I use Ad-Aware, Spybot, and Avast Anti-virus as you suggest. I was wondering what you recommend to do when problems are caught. There are usually options (though labeled differently) for Doing Nothing, Quarantining, Deleting, and Repairing. Are any of these options better than others, why or why not?
I like to repair infected files when possible and quarantine them when it’s not. Quarantining is, in my view, preferable to deleting for the same reason the death penalty is often eschewed in favour of a lengthy prison sentence: sometimes the prosecutor is wrong. Quarantining, like imprisoning, lets you correct mistakes when they happen, meaning you get back a file that is probably useful rather than dangerous.
3) I thought you might comment on social networking sites (Facebook, Myspace, etc.) security risks. Iâ€™ve heard in conversation with friends that quite a bit of private data can be gleaned off of what people decide to post on public sites. Is this true? What should people be able to post without compromising their security but still being able to participate in an online community?
Beyond the obvious (don’t post your SSN, etc.), there isn’t much I can say. Security and convenience almost always have to be traded against each other, and each person has to decide for herself where to start and end. If you really like sharing information on social networking sites, you might be better off protecting yourself by frequently monitoring your credit reports (the topic of an upcoming post), making sure your bank statements don’t have funny charges on them, and changing your passwords frequently.
4) I was specifically wondering about photographs and writing that you post in public spaces on the internet. Is their a security threat in these being stolen and used for monetary gains? Is it legal for people to take such information? When you post writing or photos is their any sort of laws that copyright what you post in your name? Does the website hosting you gain any ownership of the data?
Sure, people can take your photos and words and use them inappropriately, but it is illegal for them to do so in many countries. The US Copyright Office has a FAQ section on copyright that is worth reading. They say, “Copyright exists from the moment the work is created. You will have to register, however, if you wish to bring a lawsuit for infringement of a U.S. work.” I don’t think a web host gains any ownership over the data you store with them, but you may want to research this carefully if it’s important to you.