AMC movie theater calls FBI to arrest a Google Glass user

Because I don’t want Glass to distract me during the movie, I turn them off (but since my prescription lenses are on the frame, I still wear them). About an hour into the movie (Jack Ryan: Shadow Recruit), a guy comes near my seat, shoves a badge that had some sort of a shield on it, yanks the Google Glass off my face and says “follow me outside immediately”. It was quite embarrassing and outside of the theater there were about 5-10 cops and mall cops. Since I didn’t catch his name in the dark of the theater, I asked to see his badge again and I asked what was the problem and I asked for my Glass back. The response was “you see all these cops you know we are legit, we are with the ‘federal service’ and you have been caught illegally taping the movie”.

It seems somewhat odd that real FBI agents would act like that. My money is on private contractors hired by the movie industry to impersonate federal agents.

Two Providers of Secure E-Mail Shut Down

Two major secure e-mail service providers on Thursday took the extraordinary step of shutting down service.

A Texas-based company called Lavabit, which was reportedly used by Edward J. Snowden, announced its suspension Thursday afternoon, citing concerns about secret government court orders.

By evening, Silent Circle, a Maryland-based firm that counts heads of state among its customers, said it was following Lavabit’s lead and shutting its e-mail service as a protective measure.

The only way to protect your communication is to not trust the service, but instead use something like PGP or pinned X509 certificates to encrypt the contents before it is sent.

Facebook changes everyone’s listed emails to @facebook.com

While users can opt out of having their @facebook.com address listed, the troubling part of the change is how Facebook went about implementing it. The social network didn’t as much as announce the change was coming or alert users once it happened.

Interesting things start to happen once you realize that many people have Facebook contact sync, meaning that the email addresses for all Facebook contacts in their phone’s contact list will be replaced with the one from @facebook.com.

About the Firesheep hack on Facebook

There have been a lot of talk recently about website security since the Firesheep plugin for Firefox was released earlier this month. I think it is excellent that people and mainstream media are becoming aware of these problems, but let’s face it, they have been around forever in the web world.

So what is happening here? I believe that Firesheep receives lots of attention because of the way it makes accessing other people’s cookies extremely user-friendly. Instead of relying on tcpdump, Wireshark or any other type of network sniffing tool, you get this complete package with a sniffer, a filter to find the cookies, and a way to set the sniffed cookie in the browser directly without having to lift a finger. All you need to do is activate the plugin and wait for people to access Facebook over a network.

A cookie is basically a small file containing parameters and values which websites can set to track you when you are accessing their website. This is how Facebook for example knows that you have logged in when you are browsing around on the site. If you disable cookies, you will be requested to log in wherever you try to access a private part of the site. To get a user’s cookie, or any type of information, you can sniff their traffic on the network. You will be able to see everything that is sent and received by that computer. This is how you can easily steal someone’s cookie information.

There are however ways to protect yourself against these types of attacks. The first and most important way is to make sure that you are browsing using https instead of https. What that “s” is telling your browser is to set up an SSL/TLS connection to the server before sending any information. Since SSL is used to encrypt data, everything that is sent or received from that particular server will be secured and it will not be possible to sniff that data and get the cookies.

That is a slight modification of the truth however, since there are ways to get the data anyway. But if you make sure that you do not accept any certificates signed by an unknown authority (your browser will warn you), you will be fairly safe in this regard. Since many sites, such as Facebook, uses SSL only for the login phase, you cannot sniff the password, but only steal already set-up cookies. This basically means that you can do anything to that account except changing the password.

Since lots of websites do not provide a secure alternative, what can be done to make it reasonably secure? The easiest way is to set up a VPN connection to a server somewhere, which will at least prevent people from sniffing your data on wifi hotspots. How to do that is however out of scope for this article.

 

Diaspora — The Open Facebook Alternative

Diaspora is going to be an open Facebook alternative. Things coming in the first sprint:

  • Full-fledged communications between Seeds (Diaspora instances)
  • End to end GPG
  • External Service Scraping of most major services (reclaim your data)
  • Version 1 of Diaspora’s API with documentation
  • Public GitHub repository of all Diaspora code

It will be very interesting to see what they will make of this.