Apple notably failed in a few key ways which should serve as a lesson to others:

1. Always disclose what you’re doing. – Never just assume what you’re doing with someone’s information is cool. Apple could have mitigated a lot of this had they disclosed what the phone was actually doing from day 1. Never transmit anonymous or personal information without letting the user know first.
2. Never store more than you need – I can’t believe how many companies mess this up. Storing user information is a liability. A good business limits it’s liabilities to only what’s necessary to conduct business. Storing so much data, and not expunging was a very bad move and amplified the situation. On top of not letting users know what was going on, there was no way to purge information. This just made things much worse. Apple went as far as backing up what should be an expendable cache.
3. Always be paranoid with information – Apple states “The local cache is protected with iOS security features, but it is not encrypted. Beginning with the next major release of iOS, the operating system will encrypt any local cache of the hotspot and cell tower location information.” in the response to Edward J. Markey. This should have been encrypted since day 1. Various tools existed for a few years that could read this data in the surveillance community. Apple undoubtedly knew people were using this data sometimes for illicit purposes. No company has gotten in trouble for being to secure with customer information with anyone other than the NSA or FBI.

It’s worth noting that their software update in response to this controversy is actually pretty good and pretty thorough. I’m surprised they couldn’t quickly shim some encryption around it. The iOS is loaded with enough DRM and crypto.

On another note, I fully expect some court cases to be reopened now that “cell phone records” are not quite as accurate as they were falsely billed to be. Also companies who marketed software are capable of showing a users location history may be liable as this wasn’t accurately vetted. If they did good testing they would have seen the extent of it’s “tracking”. It seems inevitable.

Lastly, I wonder how much battery life, and how much bandwidth this was utilizing. Some customers are on metered WiFi (especially some hotspots). To geo-tag one must turn on GPS, meaning battery life was being drained behind the scenes.

Apple’s full response can be found on Congressman Ed Markey’s website (copied here for perpetuity).

I don’t understand this one. The reason many (most) sites require you to confirm your password is to ensure you typed it correctly when creating your password, otherwise a typo would prevent you from logging back in correctly later. We’ve all “fat fingered” a password before. That simple confirmation step prevents it on creation. How does entering my password twice when logging in provide any additional security? If the password is compromised, the extra field does nothing.

I presume the reason is to make Quicken look/feel more secure than it really is.

I should note that I like Quicken. I like it enough that even though the native Mac version is so disappointing on paper that I never purchased it, I did I purchased the Windows version and continue to use it there. I think that demonstrates my not hating Quicken. It does however have its quirks that just make me wonder what they were thinking.

The software LANrev (now renamed Absolute® Manage) intends for the feature to be used by administrators for the purposes of theft recovery. That obviously leaves an avenue for abuse.

If you or someone you know has a laptop with a camera that is managed by a third party, always assume they could have control of that device. A simple piece of opaque tape (I’d suggest electrical tape) over the camera will prevent any abuse of the camera. You can put a small piece of paper between the camera glass and tape to help avoid damage and clean it when you remove the tape before returning it. Harmless fix. Someone could in theory still listen using the microphone and view what’s on the screen at any given moment, but that’s a much smaller invasion of privacy than someone watching you get undressed in your own home. Use the computer only for school work if possible, and the rest isn’t much of an issue.

Someone did some digging into the software and it’s implementation at this particular school district, and quite frankly it’s a bit disturbing.

In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

“what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking”

This type of stuff should have set off some alarms. Good security doesn’t rely on obscurity or deceit.

The laptops have a light next to the camera that illuminates when the camera is activated, however the IT folks are alleged to have claimed the light appearing was a glitch according to the above link.

That said, school districts shouldn’t use laptops with cameras and microphones. Manufacturers should give those bulk purchasers the ability to have no camera installed. Alternatively they should be physically removed from the chassis by IT staff before being distributed to students. Disabling via software or policy isn’t going to stop this problem as long as the same people who control the laptops are the ones most likely to abuse it.

This is an interesting mix of hardware, software and policy security implications. The hardware worked correctly (it warned the user) but shouldn’t have existed. The software was abused and the policy was flawed. Lots of things can be learned here.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

James Madison slipped up and failed to account for advancements in technology like computers and the Internet. Are digital files considered “papers and effects”? Is law enforcement copying files considered “searches and seizures”? If your files live on a server is that considered your “house”? Of course back in his day, this wasn’t even comprehensible. The amendment is a bit dated.

Electronic Communications Privacy Act (EPICA) was an effort in 1986 to clarify how such laws applied to electronic communications. It too is somewhat outdated and heavily focused on the transfer than the storage aspect, something the modern SaaS model has completely disrupted. It’s also been weakened and contradicted by court rulings and things like the Patriot Act.

This creates enough of a legal quagmire to concern a seemingly bizarre list of companies and organizations to form the Digital Due Process Coalition to revise and clarify these laws. For companies like Google and Microsoft it makes sense. Their business relies on making companies and individuals feel comfortable trusting them with personal data. They are also increasingly stuck in odd positions thanks to contradictory and untested laws.

The outcome of this will possibly be as long-lasting and as iconic as the fourth amendment itself. Given our culture, information, and way of life is becoming increasingly digital it will impact a large part of how we function and will function in years to come. For anyone working in IT, this will impact the way you do business.

It’s pretty simple to use. Just visit the page, and update the plugins that need to be updated. At the end of the day you want to see a string of green like this:

An easy step for a faster, more stable, and most importantly more secure web browsing experience.

Speed, simplicity and security are the key aspects of Google Chrome OS. We’re designing the OS to be fast and lightweight, to start-up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.

It’s an interesting and somewhat bold statement.

Trusting The Grid

I’m personally not into pushing computing too much onto the web, and suspect that while general consumers don’t mind it, most who work in technology, share my distrust. The internet is rather resilient, but it’s hardly flawless. Very few ISP’s guarantee uptime for anyone but corporate customers who pay dearly for that guarantee. Sure offline support is on the way thanks to HTML5 and Google Gears, but it’s not a true substitute for local data and applications as online applications generally feel crippled when they are offline.

Cloud Computing is also at its infancy and not showing the uptime most expect. Even Google can’t seem to keep Gmail up enough to keep complaints to a minimum. If anyone has the capacity to do so it’s them. I think that’s more a sign of the state of technology than a reflection of Google. Some may note search has higher reliability, but search is a different beast. Search is a lookup against generic data. You can bounce users to different clusters with nobody knowing anything. Gmail replicates your data in multiple places, but not every server in every data center they own. That’s why most outages effect a percentage of users.

I’m even more skeptical of the security of online applications. Besides the obvious question of who can access your data on any given website, do they even need to notify you of a breach? Are warrants needed for law enforcement to browse around? Who really owns it? What happens if the website’s operator goes out of business, are they required to give you a chance to get your data out? Can they sell it to someone else? There doesn’t seem to be any real consensus as most countries laws don’t really account for digital property and electronic privacy. We’re still years away from knowing how rights in the physical world extend into the digital age, if at all.

As I’ve discussed before that controlling your own data is still important.

Security

Regarding the claims of minimizing security risks. One thing folks like Bruce Schneier (Wikipedia bio) keep saying like a broken record is that attacks will always improve, and there is no such thing as perfect security. I know I’m the minority for believing the pro’s rather than the marketing. Just take a look at the work of Marc Weber Tobias if you believe security can be perfect (long article + videos, but well worth it).

Sure desktops are prone to viruses, malware, etc. However you can drastically reduce your risk by simply running an AntiVirus and using a modern browser. You can further reduce your risk by keeping backups which are dead simple to do with modern OS’s or with one of the many backup utilities out there. If you have a Mac with 10.5 you already have Time Machine, just need to plug-in an external hard drive. Despite scary stories, there are actually pretty few instances of data being stolen from a personal computer by someone who didn’t have direct access to it (such as an ex, or a coworker).

Previous attempts

This isn’t a new concept. Most recently Palm’s webOS is based on essentially the same concept, except webOS is targeting handhelds. In fact webOS runs WebKit as well. Don’t be surprised if Palm tries to retool webOS a little bit and bring back the Palm Foleo idea. I should note webOS seems to be well liked by users.

Some will also note that before Apple released its native SDK it was trying to do the same thing with the iPhone, though Apple never quite integrated WebKit’s UI into the OS instead preferring to just launch Safari.

There’s also the CrunchPad an interesting but yet to be released product Michael Arrington is behind.

There have also been several attempts at running a browser-based desktop environment, which effectively turns your computer and browser into a terminal. This concept never really caught on due to performance and limitations in what the technology could do.

Android

Even Google acknowledges that this overlaps on Android a little bit. Personally I think this is a little bit of a blow to Android. If I can use web technologies and target desktops, Netbooks and all modern smart phones, why would I really want to bother with Android’s sandboxed environment? If it’s good enough for a Netbook experience, I would suspect it’s good enough for a phone experience, which has always been even more scaled down. This doesn’t make Android irrelevant, but it means anything that runs on Android will likely run on Palm’s webOS or Apple’s iPhone OS.

The perks

There are some perks to Google’s Chrome OS regardless of its actual success in the market. First of all anything that drives innovation (as this will) is a win. Secondly Google’s announcement now is because it needs to start working in a more public way with the open source community. Even if Chrome OS goes nowhere, the benefits of Google’s engineers contributing enhancements and fixes to open source projects will live on.

Lastly, Google Chrome OS is putting a lot of faith in HTML5, and that’s seemingly good for everyone who wants to see the internet evolve and mature.

Conclusion

I’m skeptical of putting everything in the cloud. Security breaches are inevitable and building larger honeypots just makes it more tempting. While Google is a reputable and stable company, there are companies out there who don’t really care about safeguarding data and may disappear tomorrow without any notice taking your data with it. This is why I still prefer to control my own data. That requires a little more than what this OS is likely going to deliver.

That said, I’m hopeful that the Google’s push to make the web the ultimate SDK will pay off and benefit everyone. Google’s contributions to open source will also benefit everyone using it directly or indirectly.

I suspect it will have a tough time competing, especially if Apple releases a Netbook or Tablet utilizing what they’ve learned from the MacBook Air and iPhone. Apple is rumored to have a tablet in the works, though that rumor has surfaced several times over the past 8 or 9 years.

1. Use SSL When Available – Many sites offer SSL interfaces to make them more secure. Sometimes it’s used by default, sometimes it’s not. You can often test yourself by just changing the http:// in the url to https:. For example, you can do this for virtually all Google services including, Google Docs, Gmail, Google Calendar, etc. For Gmail there’s even an option to force SSL. If you still haven’t enabled this, do so now. Many non-Google products offer this too, for example Meebo.
2. Be Cautious Of Open Networks – Just because you see a WiFi hotspot doesn’t mean it’s safe. It’s trivial for someone to sit in a coffee shop with a laptop and pretend to be free internet access. Once someone connects they can essentially snoop on all that persons traffic. Connect only to networks you know and only use services over a VPN or HTTPS so that your traffic isn’t in plain text. To be extra cautious limit the amount of high risk activities you do on these networks (do your banking from home).
3. Don’t Connect To The Internet Directly – Even if you have only one computer, it’s still advisable to have an access point between you and your internet connection. Virtually all access points today provide decent firewall protection that will shield you from any of the horrors that exist on the internet. Any NAT device will provide a degree of protection (though NAT isn’t a firewall replacement). Access points can often be found for under $50 making this a very sound investment. Yes there are software firewalls, but they have downsides. The minimum is a hardware device between your computer and your broadband modem
4. Use Encryption For Your Home WiFi – If you have a home wireless network, make sure you have encryption enabled and use it. Ideally you should be using WPA2/AES since it’s the most secure at this point, though anything is better than nothing. While sites you browse over HTTPS are encrypted, you still want the entire tunnel encrypted. This does hurt performance slightly but most modern hardware (even the cheap stuff) is more than capable of handling this. Odds are you run an 802.11g network and your wireless is way faster than your broadband anyway. If you don’t have this enabled or don’t know how, check the manual, the manufacturer’s website or call tech support for help. You should be doing this.
5. Don’t Trust IM or Email For Confidential Information – IM and Email aren’t very secure mechanisms for sending information. They should never be trusted for things like sending credit cards, social security numbers, medical information, etc. If you ever see a merchant using IM to process a credit card (so they only need 1 terminal rather than one per location), pay cash or walk away. Sadly it happens. It’s perfectly fine for chatting with your friends, but not good for secure information. It’s possible to encrypt email with PGP or GPG, and IM’s with OTR or an encryption certificate but they require both parties to utilize them and are somewhat technical in nature and therefore few actually use them.
6. Only Download From Trusted Sources – Download only from trusted places. Download software only from the developer’s website, not just any place that has it. Look for software at places like Tucows, FileForum, download.com (operated by my employer) and other well trusted download locations. There’s a lot of hoax sites out there trying to distribute malware (malicious software). Also be suspicious of anyone offering commercial software for free.
7. Keep your AntiVirus Up To Date – Just installing AntiVirus software isn’t enough. The program is useless unless you keep the virus definitions (the files which tell the software what is a virus and what isn’t) up to date. All modern AntiVirus software does this automatically for the duration of the subscription. When your subscription expires either upgrade to a new version or renew the subscription. There are enough free AntiVirus solutions out there for Windows to make it inexcusable to not have protection. For paid AntiVirus, Norton AntiVirus 2009 is pretty good (I use it and reviewed it myself). So is Kaspersky. Avast and AVG would be my personal recommendations for free.
8. Use AntiSpyware – AntiVirus products go a long way, but you’re much better off if you use an AntiSpyware product as well. Many of them are free downloads, just make sure you get them from reputable places. I’d recommend Spybot S&D, AdAware and Windows Defender. Make sure to run the updater within the product at least once a week, and scan on occasion (weekly, biweekly, whatever). Mac users don’t really need to do anything here as Spyware isn’t much of an issue thus far.
9. Be Aware Of Phishing – Never open links in email unless you’re sure of its origin. If your bank wants you to login and do something, visit the banks website by going to the site yourself rather than clicking on a suspicious link. No business will ask you to verify your password. Microsoft has some more tips.
10. Use A Secure Browser – Firefox 3, IE 7+, Safari 3.2 all offer Phishing protection. This isn’t perfect (nothing really is), but it can greatly reduce your chances of being a victim of a phishing attack. Enough browsers support protection that you shouldn’t be browsing without it. Firefox 3 also includes malware protection. I have a Firefox bias though that doesn’t mean you can ignore this. Use a modern browser with phishing protection.
11. Secure Your Computer – If you have a laptop you should have a password when logging in. If you don’t, correct this. It’s easy to do on Windows or Mac OS X. This will at least stop dumb thieves, which are fairly numerous. Even if your laptop never leaves your home this is still a good idea. It’s not impossible for the cable guy, phone guy, refrigerator repair man, etc. to try and steal something like a laptop. This is such a small step that can save you some trouble later on.
12. Secure Your Cell Phone – It’s not going overboard to secure your cell phone. If you’re like a growing number of people, your cell phone is a much more complicated device than it was just a few years ago. It can contain a lot of data including phone numbers, your calendar, photos, browsing history, email, even financial data. Just this week someone sued because they lost their cell phone, which happened to contain nude pictures that they claim were leaked online. Most phones include the ability to add some form of a password or passcode. The iPhone even has an option to wipe data after a certain number of unsuccessful attempts. Securing this compact hard drive isn’t a bad idea.
13. Don’t Put Things Online You May Regret – People who do this admittedly deserve what they get. Posting information regarding your personal lows may work out to your advantage in the future. Already 1 in 10 college admissions officers check social networking profiles according to Kaplan. When I graduated college in 2006 I could tell who actually looked at my job application by looking at the log files for this blog. All but one or two potential employers went to Google to screen me. In more than one case I actually used tail -f and watched them (live!) browsing this blog from their corporate network while they screened me over the phone. Only one actually brought it up in an interview (and he said he was impressed by depth of my technical posts). That was way back in 2006. Employers and colleges are much more savvy now. I get emails from headhunters constantly because of this blog. Because of this I know it’s not scaremongering. People out there really do use the Internet to screen strangers. This is standard practice, especially if you’re under 30 (and more likely to have some digital trace online) or if you apply for a tech/internet job.
14. Backup – Backing up is important. Get an external hard drive and backup all data you care about on a routine basis. I’d suggest at least once a week. I’d also suggest having some sort of off-site backup for things you wouldn’t want to loose in the event of a fire or natural disaster (email, financial records, etc.). You could use online services like Amazon’s S3, though make sure to use encryption, or the offline method of saving them to a disk and putting that disk either at a parents home, safe deposit box, etc. Just make sure that disk is either encrypted or in a secure location where it won’t fall into the wrong hands. A fireproof safe is another way to go though you’ll want to make sure you use a UL Class 125 safe rated for at least 1hr. They can withstand fire and keep the internal climate at no more than 125°F and 80% humidity, suitable for magnetic media. If it’s not UL tested make sure it’s suitable for the media you are trying to store for at least 1hr, preferably more.

I must admit I didn’t know that the database is funded by the National Cyber Security Division of the United States Department of Homeland Security. I did know US-CERT was.

Yet another piece of evidence that shows the technology is not ready for prime time. I’ve mentioned several times before what a failure RFID deployments in high security situations has been. This is just another example.

[Via Bruce Schneier]