The NY Times has an interesting article about targeted advertisements that follow people around the web:

Julie Matlin was tempted by a pair of shoes on Zappos.com. Then the shoes started showing up in ads on other sites she visited.

Then the shoes started to follow her everywhere she went online. An ad for those very shoes showed up on the blog TechCrunch. It popped up again on several other blogs and on Twitpic. It was as if Zappos had unleashed a persistent salesman who wouldn’t take no for an answer.

That sounds creepy. Nobody wants to feel watched while surfing the web — it’s just too much like having your mind read. Perhaps that’s not too worrying when you’re shopping for shoes, but what about when you’re looking for information about that skin rash that won’t go away?

It used to be easy to prevent the problem described by the woman in the Times story, but now there are sneakier ways to track users across websites. Now you need something like this Firefox add-on to thoroughly purge your browser of tracking technologies.

But does anyone really care?

There’s nothing easier than drumming up a bit of indignation for a news story. But does anyone really care about being tracked this way? Sure, all else equal, most of us would pick more privacy rather than less. But the real question is whether anyone is willing to pay for that privacy.

The metaphor of a persistent salesman who won’t take “no” for an answer is an illuminating one. Just as some stores try to attract customers by telling them about their easy-going, non commission-based salespeople, some websites could differentiate themselves from the competition by telling internet users that they won’t install invasive tracking technologies.

We may yet see something like that, but I have my doubts. People like privacy, but they like getting great content and services cheaply, too. Websites that earn extra money by intruding on their customers’ privacy are likely going to outcompete websites that don’t if web user preferences lean more toward getting stuff cheaply than maintaining privacy. There is no easier place for experimentation with business practices than the web, so the dearth of websites that compete on the margin of privacy suggests that there probably isn’t much demand for it.

Government regulation of privacy

Right now, there is a debate at the Economist about whether governments should more heavily regulate online privacy issues. This blog has always been in favour of things that help people protect their privacy, but I have also stressed the importance of considering the costs of doing so. To my ear, government intervention to enhance privacy protections online sounds like forcing internet users to accept a different bundle of cheap content, quality services, and privacy than they currently want.

A quote from the primary proponent of regulation in the Economist debate highlights this:

…it is hard to imagine that the typical internet user can really do much to safeguard their privacy when companies purposefully make it so difficult.

Let’s imagine an (admittedly weird) alternate world where the current Economist debate is about the problem that all brick and mortar stores must be entered via doors that measure a mere 3 feet in height. One of the proponents of government regulation for bigger doors says:

…it is hard to imagine that the typical shopper can really do much to improve their shopping experience when companies purposefully make it so difficult to fit in the entrance.

It’s laughable because we know how easy it would be for stores to install larger doors and capture the customers who are dissatisfied with the doggy door experience. When you realize that privacy is something that can and is bought and sold today just like any other commodity, you have to admit that a lack of concern on the part of businesses when it comes to privacy issues may just mean there is limited demand for it from most consumers’ point of view. And, in fact, it is possible that the current equilibrium is pareto optimal.

Whenever you read about a dispute between a web-based service and a country, you need to ask yourself only one question: where is the server located?

BlackBerry servers are located in Canada, and data is encrypted when it is sent from one phone to another. That’s a problem for countries that want to intercept and monitor information sent across BlackBerry networks. From The Economist article:

Countries have two basic technical methods of controlling the flow of information over the internet. First, they claim legal jurisdiction over information stored on servers within their own borders. Second, they can read or block traffic moving through the choke-points where internet cables cross the border.

Neither of those options is available to countries wanting to spy on BlackBerry users, which is why Research In Motion, the makers of the BlackBerry, have been getting flack from the governments of India, Lebanon, Saudi Arabia and now the UAE:

The UAE’s Telecommunications Regulatory Authority said it would suspend BlackBerry Messenger, email and Web browsing services beginning on October 11th if RIM does not provide a solution for local messaging control.

Fortunately, Research In Motion told its customers not to worry:

The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.

Unfortunately, Research In Motion quickly made a deal with the government of Saudi Arabia that undoes those fine intentions:

The agreement, which would involves placing a BlackBerry server inside Saudi Arabia, would allow the government to monitor users’ messages and allay official fears the service could be used for criminal purposes.

A similar deal with the UAE is likely to follow.

Staying secure when eavesdropping is a risk: VPNs

This brings up a general point about safe internet use in any setting where third parties — including governments, your ISP, or the guy next to you in the coffee shop sharing that WiFi hotspot — may be able to peek at your communications. A commentator at The Economist’s article wisely noted that:

…one can go to any hotel in Dubai, hop on its wifi with your laptop and use your own VPN (or company VPN in my case), effectively blocking them from seeing your communications.

Although it may be illegal to do so depending on your location, and I’m in favour of following the laws in the country you’re in, using a VPN may be a good idea in some scenarios.

The best explanation of VPNs I’ve read is from HowStuffWorks.com, which suggests the analogy of the internet as an ocean and most internet traffic as being like a ferry from one island to another. When you’re on a ferry, everyone can see who you are and what you are doing. It’s public.

A VPN, on the other hand, is like a submarine that allows you to travel underwater from island to island. Some savvy observers of the ocean (your ISP, for example) may know that you are in a submarine, but they won’t know your ultimate destination or what’s inside of the submarine (i.e., the information you are transferring from your computer to the destination computer).

To use a VPN, you simply need to install VPN software on your computer (some suggestions are provided below), connect to the internet, start the VPN software, then proceed to browse the net.

Drawbacks of VPNs

As with any security solution, VPNs have some drawbacks:

1. You have to trust the VPN provider more than you trust your current connection. There’s no way around this if you’re using a commercial VPN (highly technical users can set up their own VPN servers to get around this problem, but the process is too difficult for most of us). The best assurance any VPN company can give you is something like this:
   

   What needs to be understood, is that our livelihood depends on keeping you safe and honoring your privacy. If we ever compromised that, unwillingly or with bad intent, I would imagine word would get out pretty fast. I can say that here at WiTopia, we take it very very seriously.

2. They slow your browsing/VOIPing/messaging. Because of the encryption/decryption process and because your internet communications are first routed to your VPN’s servers before being routed to the ultimate destination, you’ll probably notice some lag.

A few VPN companies

I can’t promise that these companies will keep your information secure. There is no such thing as perfect security. If it’s important to you, you need to do the background research and decide for yourself if using a VPN is safer than the alternative. That said, here are two companies that were discussed by CNET and one that a friend recommended to me:

1. WiTopia
2. HotSpotVPN
3. proXPN, which is free and has a Facebook page where the company often answers user questions

Added 10 Aug 2010: U.S. authorities are already able to tap BlackBerry messages. And Bruce Schneier noted a few days ago that:

The UAE can’t eavesdrop on BlackBerry traffic because it is encrypted between RIM’s servers and the phones. That makes sense, but conventional e-mail services are no different. Gmail, for example, is encrypted between Google’s servers and the users’ computers. So are most other webmail services. Is the mobile nature of BlackBerrys really that different? Is it really not a problem that any smart phone can access webmail through an encrypted SSL tunnel?

An old and out of use Hotmail account, which I log into every couple of months just to prevent Hotmail from letting my account expire, was hacked in late May. Whoever or whatever (I suspect it was a machine) hacked into my account didn’t do anything terribly malicious. They simply borrowed my address for a month and sent out loads of spam to everyone on my contact list and many more who were not. Sorry! And thanks to the friend who I inadvertently spammed and gave me the heads up about the problem.

What Went Wrong

I have no way of knowing how my account was compromised, but I suspect a brute force attack. Hotmail doesn’t lock accounts or insert any other barrier after a few (or even many) unsuccessful password entry attempts, so a machine could go on happily guessing at least one password per second for as long as it took to find the right one. Unfortunately, I made that process easier by having a password that was all lowercase and lacked special characters. Worse, even though I change most passwords every three or four months, I hadn’t changed that password since I opened the account. It wasn’t a giveaway password – it was 8 digits long and had a combination of letters and numbers – but I could have and should have done more.

Thankfully, the hackers didn’t change the locks while they were making use of my little piece of online real estate, and I was able to log in and reclaim full possession of the account. I set the new password to be extra robust.

Dear Hotmail…

And if anybody from Hotmail stumbles across this post: please consider asking people and machines who get their passwords wrong, say, five times in a row to pass a captcha test. Gmail does it. You should, too.

The latest Internet Crime Complaint Center report is out and I’ll be blogging interesting bits over the next couple of months.

Apparently, one of the newly fashionable scams starts with an email threat to your life:

In 2009, IC3 received several complaints presenting a new spin on the media coined “Hitman Scam,” a type of email extortion scheme. Victims are reportedly being threatened in an attempt to extort money. The victim receives an email from a member of an organization such as the “Ishmael Ghost Islamic Group.” The emailer claims to have been sent to assassinate the victim and the victim’s family members. The emailer asserts that the reason for the impending assassination resulted from an alleged offense, by the victim, against a member of the emailer’s gang. In a bizarre twist however, the emailer reveals that upon obtaining the victim’s information, another member of the gang (purported to know a member of the victim’s extended family) pleaded for the victim’s pardon. The emailer alleges that an agreement was reached with the pleading gang member to allow the victim pardon from assassination, if the victim takes some action such as sending $800 to a receiver in the United Kingdom for the migration of Islamic expatriates from the United States. Victims of this email are typically instructed to send the money via Western Union® or Money Gram® to a receiver in the United Kingdom. The emailer often gives the victim 72 hours to send the money or else pay with his/her life.

Respond as you would to any other extortion attempt or threat to your safety: inform the police.

Risk vs. Effort

As it happens, this threat seemed plausible at one point last month. Now it appears that the danger was probably exaggerated (although that’s what the Facebook folks would say, isn’t it?):

Facebook’s assessment of Killros is that he is a low-level player and that he had nowhere near the 1.5 million accounts he advertised. Most likely, he had a few hundred accounts most of which he likely created himself. Through some interesting and impressive forensic work, the Facebook security team identified the real Facebook accounts owned by Kirllos, reset the passwords, and notified the account owners.

But for fun, let’s take the hacker’s advertising at face value. How big of a risk is it to you, the average Facebook account holder? Well, to start with, there are over 400 million Facebook accounts, so the chances that yours is among the 1.5 million currently on sale are less than half of one percent.

I’ve written before that the prices criminals are willing to pay to get your account details are good magnitude of risk indicators. In this case, if the value of each Facebook account is less than 5 cents, criminal buyers must not be expecting much more than the value of their time as a return on hacking into accounts.

You should be much more concerned about your bank account login details getting stolen, as that information apparently sells for about 1% of the account balance. In other words, buyers of this information expect a reasonable payoff in exchange for their investment and the risks they are taking.

So my take on the Facebook news is that it was initially alarming, but probably nothing to get worked up about. Of course, there’s no harm in updating and/or upgrading your Facebook password if you haven’t done so in a while.

Carry on.

Read this list of commonly used passwords and see if you get a little nervous. Double twangs of deserved nervousness if you use the same password for every account.

The post has some solid advice about making and managing great passwords, too.

A recently released report claims that Internet Explorer 8 (IE8) is more than twice as effective at blocking malware sites than its nearest rival.

According to NSS Labs, which conducted the Microsoft-sponsored study, IE8 blocked 69% of the 492 malware-distributing Web sites that were included in the survey data. Mozilla’s Firefox, meanwhile, blocked only 30% of those same sites.

That the study was paid for by Microsoft doesn’t help its credibility (check out some of the complaints that are cropping up), but it’s worth considering as a single data point.

I consider browser security to be a crucial pillar of overall system security at this point. Malware infected sites, which can include otherwise trustworthy sites that have been hacked, are becoming fairly common.

A phishing attack that began striking U.S. Twitter profiles this weekend is still going strong and isn’t showing any signs of letting up. As VentureBeat reports, the scam operates through a direct message reading, “Lol. this you?” Once users click on it, they’re sent to a fake Twitter login page, where they could be tricked into revealing their login and password.

It seems to me that threats like this one are becoming more common, probably because most folks have become pretty good at fending off standard viruses. The major browsers vendors are working hard to inure their software to phishing threats, but it’s hard to protect people from their own gullibility.

NatWest, a UK-based bank, has a unique login page that makes it safe to sign into your online bank account even on untrusted computers. The login page makes it impossible to employ the Revised Vesik Method that is ordinarily the best way to beat keyloggers, but it more than compensates with its clever login requirements.

When logging in, the first set of fields ask for just three of the four or more digits that make up your account PIN, and the next set of fields asks for just three of the eight or more characters from your password (you are using eight characters or more for your passwords, right?). The specific characters you need to enter change each time you successfully login.

So suppose a keylogger captures every stroke you enter – are you safe? Yes, since the six digits that a keylogger could scrape are likely to prove useless when the next login page is generated. The new page will ask for different characters, and it won’t regenerate new requirements until those characters are successfully entered. That’s important, because otherwise it might be possible to refresh the page until the desired six digits are requested again.

As safe as other techniques?

You might wonder if the trick of asking for just six digits means that the login procedure is less safe than one that asks for eight. I believe it is, but not in any sense that matters as long as there is a limit to the number of incorrect login attempts that can be made. Like most banks, Natwest hinders password-guessers by temporarily blocking access to online banking after a certain number of failed login attempts

So, how much less safe is NatWest’s request for six digits instead of eight? Well, guessing an eight digit password composed of numbers and varied case letters would see success about 1 in 200 trillion times; guessing a single number from a four digit PIN and then guessing the correct three digits from the same password as before would see success about 1 in 2.4 million times. There is a difference, but it doesn’t really matter if the temporary lockout feature is working properly. In my judgment, the anti-fishing benefits make NatWest’s login procedure safer than login pages that ask for complete passwords.

The one downside is that logging in is inconvenient, since you have to mentally count to the right digit in your password before entering it. Still, Natwest’s login requirements ought to be considered industry best-practices. I hope to see more banks adopt the technique.