April 2011 Archives

Social Network Spy Game

I try, very hard, not to weigh in on some of the sillier things going on in the online world but I felt compelled to make a quick post about the shenanigans going on in the DC twitter world regarding @PrimorisEra.

Spencer Ackerman over at wired wrote up a great piece summarizing the events and went the extra mile talking to @PrimorisEra to get "her" side of the story.  Read his write up to get the background if you don't know what this post is about thus far.

Aside from the almost high school level drama, there is a serious issue at root here.  Namely, that the general lack of suspicion and skepticism that plagues the online world -- that enables phishing schemes to work, that allows people to compromise themselves in new and creative ways, that is the general dismay of the entire security industry -- somehow has crossed over to individuals in positions related to national security. Individuals who work in national security roles are trained -- beat over the head -- with operational security (OPSEC) rules but somehow forget this when engaging in social media.  Yet, again, we have another example of people acting foolishly in the online world.  I say again because something VERY similar (yet very different as it was fake) happened almost eight months ago: The Robin Sage experiment.

I have asked many people in the security field about their thoughts on the Robin Sage experiment.  My main question, always, is what they think the lasting repercussions of the experiment would be on the community (intel, national security, cyber).  The answer, universally, is that the impact would be minimal.  That it would be forgotten within months.

Eight months later, the uproar that Robin Sage caused was forgotten.  Eight months later we have another example of why the nexus of social media and national security is...well...complicated. I am not advocating a full stop and a reverse course.  The virtues of social media engagement are manifold. The good that comes out of social engagement is phenomenal.  But when we are talking about intel, defense, and diplomacy, are publicly accessible feeds the absolute best place for individuals to engage in a non-professionally sanctioned way?  Perhaps @PrimorisEra could have built a following and engaged on Intellipedia. Perhaps she should have compartmentalized her work life from social life on twitter.  Perhaps this all could have gone differently.

I am eager to see, what if anything, results from this.  Will it end up that @PrimorisEra was, in fact, a honey pot?  If she was, this drama is going to intensify greatly.  Whichever way that chip falls, what are the repercussions for her and the government?  What are the lessons learned that policy makers and information assurance (security) professionals can take away?  What will change?  What will stay the same?

We must remember, this is both a one-time event and also the greatest systemic fear of those charged with protecting our national security networks and information.  To the policy makers out there, I urge you to be methodical and rational in your approach to this event.  To the individuals in the national security field, I URGE YOU to be smart about engaging online.  To be skeptical and suspicious.  To not, damnit, ruin this for the rest of us.

I'd also like to applaud the individuals who called attention to the situation. While it did not unfold, lets say, as professionally as possible attention was nonetheless called to some questionable behavior.  You showed the healthy dose of skepticism and suspicion needed.  Kudos.

Readers, what are your thoughts?
Update: Responses from the Victoria DoJ can be found here: http://www.privacywonk.net/2011/05/victoria-doj-social-media-video-follow-up.php

The video below was released on March 16, 2011 by the Department of Justice, Victoria, Australia.  It details the departments view on appropriate personal and professional uses of social media.  It's a fantastic four minute video that clearly communicates policy about social media while also demonstrating exactly what the policy's intent is through example  interactions. 

I recently presented at the International Association of Privacy Professionals (IAPP) Privacy Summit in March of 2011 on the topic of implementing the new compliance requirements of OMB M-10-22 (new cookie policy) and OMB M-10-23 (third party websites and applications).  I would have loved to show this video to hammer home the professional v. personal use portion of the presentation.  Budgetary constraints aside, I think this is a fantastic way to disseminate policy.  Imagine asking your employees to watch a four minute video vs. reading a 10 page policy document? Benefits?  Minimal work disruption, increased knowledge of new policies, and higher compliance/adoption of the new policy.






I am going to reach out to the Victoria DoJ and see if they have been tracking statistics after the release of this video...stay tuned.

Update: Responses from the Victoria DoJ can be found here: http://www.privacywonk.net/2011/05/victoria-doj-social-media-video-follow-up.php
Found via Alex Howard (aka digiphile) via Stowe Boyd via Raffi Krikoria.An absolutely awesome picture of twitter's message format.  Click the picture to open a larger version in a new window.



The Usability of Passwords

"The Usability of Passwords," original published in August of 2007 by Thomas Baekdal, is a great primer on password usability and security. While much has changed in the past four years with password security, such as the rising popularity of Two Factor Authentication to secure more sensitive accounts, much remains the same.  Password attacks have also become more advanced, especially with the advent of rainbow tables and rainbow table services but this article still has a great message.

Go give it a read, easily digestible with a simple message.  Do we need 15+ character passphrases?
On April 8, 2011 Congress voted to over turn controversial FTC Net Neutrality orders/regulations (PDF).

PrivacyWonk discussed this vote previously in March when it first became a topic of conversation on the hill: http://www.privacywonk.net/2011/03/netneutrality-vote.php. This vote was held while party leaders tried to reach an agreement to keep the government from shutting down.

"While the Resolution seeks to overturn the FCC's new anti-blocking, network management transparency, and traffic discrimination rules, it faces an uphill battle to become law. The Resolution would need to get passed by the Democrat-controlled Senate and get signed by the President. The White House recently said it plans to veto any measure overturning the FCC's Net Neutrality Order." ~TMT Law Watch

The 235-181 vote passed along a party line vote.  More information can be found here: http://www.govtrack.us/congress/vote.xpd?vote=h2011-251&sort=party


The Church of London design shop worked with Google to produce "Think Quarterly," an absolutely gorgeous limited edition, business-to-business only quarterly book that invites thought-leaders to come together to discuss the global mega-trends shaping our world. The first issue focuses on data and was hand-delivered to 1,500 of Google's UK partners and advertisers in an embossed white box. 

The pictures and details released online about this book are absolutely amazing.  Now, while we may not be able to get our hands on the physical book we can read and interact with it online at http://thinkquarterly.co.uk/.

Matt Brittin, Managing Director, UK & Ireland Operations, Google opens the book,

"At Google, we often think that speed is the forgotten 'killer application' - the ingredient that can differentiate winners from the rest. We know that the faster we deliver results, the more useful people find our service.

But in a world of accelerating change, we all need time to reflect. Think Quarterly is a breathing space in a busy world. It's a place to take time out and consider what's happening and why it matters.

Our first issue is dedicated to Data - amongst a morass of information, how can you find the magic metrics that will help transform your business? We hope that you find inspiration, insights, and more, in Think Quarterly. "

Contributors to the book include:

A PDF copy of the book is available for download at http://download.thinkquarterly.co.uk/think-01.pdf and a host copy can be found http://www.privacywonk.net/download/think-01.pdf

I have not yet started reading the articles but I am very much looking forward to it.  Big Data is moving fast.  To ensure privacy is being considered along the way we have to understand how it's being used now and how it will be used in the future.
A great talk on kids online privacy and security.  Love the closing lines.

Note: if you don't see a video below it may be due to certificate errors with YouTube.  Try accessing: https://www.youtube-nocookie.com/v/RAGjNe1YhMA and confirming the exception.


DoD to remove SSNs from ID Cards

A big win for DoD service members and families, beginning June 1, Social Security Numbers on military ID cards will start to disappear.  Currently, SSNs are printed on the back of common access cards (CAC), and on the front of cards issued to dependents and retirees.  The DoD switched from the original serial number, later called the service number, to the SSN in 1968. At the time, the SSN was not as sensitive a piece of information as it is today.  However, today, losing a DoD issued ID card could easily lead to identity theft. Most of the information needed to easily steal someones identity is printed right on the card: name, date of birth, SSN, and more.

The DoD will replace the SSN with a new unique 10-digit number for individuals with a direct association with the department, returning to the pre-1968 serial number/service number. The new number will also be the service member's Geneva Convention identification number.

The switch to the new cards will take place over four years.  Service members, dependents, and retirees will receive the new card when their current one expires.

Sources:
DoD to drop social security numbers from ID cards:
http://www.army.mil/-news/2011/04/04/54310-dod-to-drop-social-security-numbers-from-id-cards/

Department of Defense Privacy Board Advisory Opinion on Disclosure of the Original, pre-1968, Serial Number:  http://privacy.defense.gov/opinions/op0045.shtml