Categories
In The News Internet

Yahoo gives way to identity fraud

Think about it:

  • Marine was over 18 (legal independent adult in the US).
  • Marine didn’t put in writing that he wanted his parents to have access.

Considering this. Why can’t I have access? There is no report of the parents having a DNA test compared to the remains of the soldier to prove a blood relation. For all that’s known, they are just random people. A persons birth certificate in the US doesn’t contain fingerprinting of parent/child (as it should, and has been argued for about 50 years). Only a legal name of the child, and the parent, plus mothers age. Which often isn’t unique (how many John Smith’s are there). This isn’t to say they are cons. But that there’s no true proof unless there’s a DNA test. It’s rather easy in the US to live under an identity that’s not your own. People do it all the time. Most just to escape creditors, or family. Nothing to evil. But of course some ex-cons do as well just to escape the stigma. Stories of people living under fake identities for decades are not at all uncommon. They get drivers licenses, and all benefits under such identities.

Nor is there legal president that just because your a parent you can get such access. Normally that would go to whom ever the deceased designates. Not just “anyone who asks for it” Typically a spouse.

If that soldier’s bank account didn’t have his parent as a cosign on the account. Guess what. That account’s not going to the parents with just a simple legal proceeding.

This is a big win for any identity scammers. Look through death certificates filed at your local municipality, and go after ISP’s to get email accounts. Then use the email account (and it’s data). Can do all sorts of fun things:

  • pretend to be that person and con people
  • extract passwords, data from stored email
  • submit it to websites to get passwords reset on various accounts

It would be rather easy for someone to show a death certificate and say they are the next of kin and deserve the ability to take the persons identity (which is essentially what getting email is).

This is phishing to a whole new level.

This is of course beside the fact that anyone who emailed the person intended for the email to be received by the individual, not whomever files papers with the court for access. At a minimum Yahoo should have contacted all people who corresponded with the individual and asked if they are ok with being included with this. If I were one of them, I would be rather upset. An email sent is intended for the recipient, unless otherwise stated.

Get ready for some serious abuse of this new power. I’m positive were going to see some new phishing attempts designed to exploit this.

I’m curious why it isn’t this easy to get access to someone’s bank account without being a cosign on the account? What’s the difference? There’s a lot less harm in getting access to assume the persons cash then the persons identity.

Credit to yahoo for giving a CD, not the account itself. But it’s still wrong. This makes fraud all to easy. Now you don’t even need to be smart. You just need to have the balls to file some papers with a court who is way to busy to even read them.

Categories
Mozilla

Mozilla EULA Followup

Following up from a few days ago, the EULA (End User License Agreement) has landed for 1.0. I copied the text here so everyone who hasn’t downloaded a build yet can see what I’m talking about:

FOR TRANSLATIONS OF THIS LICENSE INTO SELECTED LANGUAGES, PLEASE VISIT WWW.MOZILLA.ORG/LICENSING.

MOZILLA FOUNDATION

MOZILLA FIREFOX END-USER SOFTWARE LICENSE AGREEMENT

A SOURCE CODE VERSION OF CERTAIN FIREFOX BROWSER FUNCTIONALITY THAT YOU MAY USE, MODIFY AND DISTRIBUTE IS AVAILABLE TO YOU FREE-OF-CHARGE FROM WWW.MOZILLA.ORG UNDER THE MOZILLA PUBLIC LICENSE and other open source software licenses.

The accompanying executable code version of Mozilla Firefox and related documentation (the “Product”) is made available to you under the terms of this MOZILLA FIREFOX END-USER SOFTWARE LICENSE AGREEMENT (THE “AGREEMENT”). BY CLICKING THE “ACCEPT” BUTTON, OR BY INSTALLING OR USING THE MOZILLA FIREFOX BROWSER, YOU ARE CONSENTING TO BE BOUND BY THE AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE “ACCEPT” BUTTON, AND DO NOT INSTALL OR USE ANY PART OF THE MOZILLA FIREFOX BROWSER.

DURING THE MOZILLA FIREFOX INSTALLATION PROCESS, AND AT LATER TIMES, YOU MAY BE GIVEN THE OPTION OF INSTALLING ADDITIONAL COMPONENTS FROM THIRD-PARTY SOFTWARE PROVIDERS. THE INSTALLATION AND USE OF THOSE THIRD-PARTY COMPONENTS MAY BE GOVERNED BY ADDITIONAL LICENSE AGREEMENTS.

1. LICENSE GRANT. The Mozilla Foundation grants you a non-exclusive license to use the executable code version of the Product. This Agreement will also govern any software upgrades provided by Mozilla that replace and/or supplement the original Product, unless such upgrades are accompanied by a separate license, in which case the terms of that license will govern.
2. TERMINATION. If you breach this Agreement your right to use the Product will terminate immediately and without notice, but all provisions of this Agreement except the License Grant (Paragraph 1) will survive termination and continue in effect. Upon termination, you must destroy all copies of the Product.
3. PROPRIETARY RIGHTS. Portions of the Product are available in source code form under the terms of the Mozilla Public License and other open source licenses (collectively, “Open Source Licenses”) at http://www.mozilla.org. Nothing in this Agreement will be construed to limit any rights granted under the Open Source Licenses. Subject to the foregoing, Mozilla, for itself and on behalf of its licensors, hereby reserves all intellectual property rights in the Product, except for the rights expressly granted in this Agreement. You may not remove or alter any trademark, logo, copyright or other proprietary notice in or on the Product. This license does not grant you any right to use the trademarks, service marks or logos of Mozilla or its licensors.
4. DISCLAIMER OF WARRANTY. THE PRODUCT IS PROVIDED “AS IS” WITH ALL FAULTS. TO THE EXTENT PERMITTED BY LAW, MOZILLA AND MOZILLA’S LICENSORS HEREBY DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES THAT THE PRODUCT IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE AND NON-INFRINGING. YOU BEAR ENTIRE RISK AS TO SELECTING THE PRODUCT FOR YOUR PURPOSES AND AS TO THE QUALITY AND PERFORMANCE OF THE PRODUCT. THIS LIMITATION WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES, SO THIS DISCLAIMER MAY NOT APPLY TO YOU.
5. LIMITATION OF LIABILITY. EXCEPT AS REQUIRED BY LAW, MOZILLA AND ITS DIRECTORS, LICENSORS, CONTRIBUTORS AND AGENTS (COLLECTIVELY, THE “MOZILLA GROUP”) WILL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR IN ANY WAY RELATING TO THIS AGREEMENT OR THE USE OF OR INABILITY TO USE THE PRODUCT, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, LOST PROFITS, LOSS OF DATA, AND COMPUTER FAILURE OR MALFUNCTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF THE THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH SUCH CLAIM IS BASED. THE MOZILLA GROUP’S COLLECTIVE LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED THE GREATER OF $500 (FIVE HUNDRED DOLLARS) AND THE FEES PAID BY YOU UNDER THIS LICENSE (IF ANY). SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
6. EXPORT CONTROLS. This license is subject to all applicable export restrictions. You must comply with all export and import laws and restrictions and regulations of any United States or foreign agency or authority relating to the Product and its use.
7. U.S. GOVERNMENT END-USERS. The Product is a “commercial item,” as that term is defined in 48 C.F.R. 2.101, consisting of “commercial computer software” and “commercial computer software documentation,” as such terms are used in 48 C.F.R. 12.212 (Sept. 1995) and 48 C.F.R. 227.7202 (June 1995). Consistent with 48 C.F.R. 12.212, 48 C.F.R. 27.405(b)(2) (June 1998) and 48 C.F.R. 227.7202, all U.S. Government End Users acquire the Product with only those rights as set forth herein.
8. MISCELLANEOUS. (a) This Agreement constitutes the entire agreement between Mozilla and you concerning the subject matter hereof, and it may only be modified by a written amendment signed by an authorized executive of Mozilla. (b) Except to the extent applicable law, if any, provides otherwise, this Agreement will be governed by the laws of the state of California, U.S.A., excluding its conflict of law provisions. (c) This Agreement will not be governed by the United Nations Convention on Contracts for the International Sale of Goods. (d) If any part of this Agreement is held invalid or unenforceable, that part will be construed to reflect the parties’ original intent, and the remaining portions will remain in full force and effect. (e) A waiver by either party of any term or condition of this Agreement or any breach thereof, in any one instance, will not waive such term or condition or any subsequent breach thereof. (f) Except as required by law, the controlling language of this Agreement is English. (g) You may assign your rights under this Agreement to any party that consents to, and agrees to be bound by, its terms; the Mozilla Foundation may assign its rights under this Agreement without condition. (h) This Agreement will be binding upon and will inure to the benefit of the parties, their successors and permitted assigns.

I must say: I like it.

Privacy Policy

I’ve been an advocate of this for a while. Mozilla.org should have a privacy policy. Firefox is strongly backed by those in the media who are about privacy, and security. Firefox doesn’t have a clear privacy policy. That concerns me. Not because I think something is happening with my privacy, but because it leaves an open door for bad press. And there’s no real way around it. There’s no clear statement how information is gathered and used.

We have tools that transmit data back to the Mozilla Foundation. For example Talkback. The first time it runs, it does tell you a little about itself. But it doesn’t say enough. Does it mention talkback-public? Not last I checked. It doesn’t discuss how the information is sanitized etc. Update also “phones home”. We don’t mention that, and what’s transmitted. It should also explicitly say to the user that it’s doing so the first time (and allow you to disable should you be concerned). To the best of my knowledge it does that silently still. There are plans now for a reporter tool. That’s yet another tool that transmits info. Granted it will require user consent and intentionally making multiple clicks.

IMHO it would be best to head-off the bad press by making it clear that the Mozilla Foundation takes privacy very seriously. Otherwise, I think we are bound to get some news outlet who is going to make some waves about how Firefox is a privacy nightmare… when it’s actually not. It just doesn’t explicitly state how privacy is guarded and how info is used.

Just my $0.02.

Categories
Google Security Tech (General)

Why people shouldn’t be afraid of Gmail

There has been a ton of buzz lately about Gmail, Google’s free email service. 1000 megabytes of free storage, Google Search Technology, and of course all sorts of Google usability improvements. I’m sure Google has stuff still in the labs to enhance it at some point in the future as well, I could see searching attachments, viewing Word, and Acrobat files as HTML, all in the works.

How will they pay for this quite amazing offer? “relevant text ads”. I think most already know what I’m talking about when I say, this, if not check out MacVillage.net which has Google’s text ad service on the homepage.

What is it?

Here’s a really simple summary. Google sells a ton of advertising. And I mean a ton, they sell for their own website, as well as many others. To make sure the ads are effective, they like to “target” the ads. This is similar on other forms of media. For example, on TV, you will find sports and fitness related ads on ESPN, while the Food Network may not necessarily carry the same ads. Why? Because the audience on ESPN is most likely into sports, and fitness. The ads are most effective when people interested in the products. Makes sense right?

Well, Google does the same thing. When it sells ads on a Macintosh Website like MacVillage.net, it targets them towards Mac users, hence you see ads like “Expert Macintosh service”, “Macintosh Support”, “Mac Service & Support”. Because those ads will do good on a Mac website, rather than a PC website. These ads are now worth more to the advertiser, who will pay more to Google, who will in turn payout more to MacVillage.net. Google does the same on it’s own search engine (the right hand side), relevant ads are worth quite a bit, since it’s perfect real estate for advertisers

How do they know what to show?

Google hasn’t disclosed the technology in real detail, but one could assume, their technology assigns keywords to the ad campaign. It then looks at the text of the page that needs an advertisement. If the examines that page for relevant keywords, and places the highest ranking advertisement that fits the page.

So what’s the deal about privacy?

That’s the question of the day. Google’s system is undoubtedly automated. It would be impossible to hire enough employees to screen all data and figure out relevant ads. Your mail is technically handled by many systems that process/analyze it anyway. From virus scans, spam filters, to your mail client just figuring out if it should make certain text bold, underlined, or italics. Or how to process an inline image. Lots of software looks at your mail.

Personally, I don’t see the difference between Google, and Yahoo, Hotmail, or any other mail provider’s technology, except that Google is being smart, and providing a superior service, by selling relevant ads. How is this any more invasive? All Google did was put things together.

Personally, I think some people worry to much about privacy, and not enough about security. Instead of crying because a company put ads on a free service that you choose to use… Why not apply some patches to your buggy Windows computer so a hackers/spammer isn’t using it to flood my email with spam. To me, that’s much more invasive.

Just my $0.02.

Categories
Internet

Down with Site Finder

I’ve said it before. Site Finder sucks. It’s a violation of standards, and privacy. Not to mention business ethics (hijacking web traffic with a monopolistic position to increase revenue at a cost of user privacy).

It may come back.

Here’s to hoping Verisign goes out of business.