May 15, 2010: 7:10 am: General

I make no secret I enjoy Apple products. I got into Apple products after my experience with my first iPod and deciding that I was tired of feeling like I was still at work when I was home.  All the maintenance and effort to keep Windows based products working efficiently was too much like my day job. Most of the time Apple products just work for how I use them. Sure like any product made by humans Apple can have design issues.  Like any electronic device it will fail at some point in time.  With that said I am an information security professional.  I spent several years out of college in loss prevention.  I am not a lawyer but clearly I have strong feelings on this whole situation.  And here they are.

(more…)

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
February 12, 2010: 7:19 pm: Forensics, Privacy

A couple of days ago Dr. Johannes Ullrich did a real interesting post on scraping gps data from twitpic posted photos from twitter users.  You can read the original post with graphs over at the Internet Storm Center blog. He wrote a couple of perl scripts for use with the exiftags tool.

So I was inspired to do a similar trick without the perl script and using my favorite, Exiftool by Phil Harvey.  So here comes yet another one of my automators for OSX.  You can download it in the zip below.  Just copy the imagecsv.txt to the root of your user home folder.   Then run the automator app.  You can of course edit the app in Automator to see how it works.  It will prompt you for the twitter user name of your target.  Then it goes to twitpic, scrapes their rss feed of all full sized images and runs exiftool on them.  It makes all the output in a folder on your desktop using the twitter user name.  You may alter what fields the exiftool puts to the exifdump.txt file by editing the imagecsv.txt.  It is just a print format file under the rules of exiftool setup to be tab delimited.

Just make sure you have exiftool installed or you wont get the tag dump.  You will end up just getting all the pictures scraped from the user’s rss feed.

Download:
OSX Automator – TwitPic – ExifScrape

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
October 7, 2009: 9:57 pm: Uncategorized

I love using my google voice number as a public filter. I have it all tuned up and ready for my trip to Vegas next week for the Blogworld and New Media Expo. It saves having folks know your real home or cell number while still letting you route calls through based on whom is calling.

http://www.google.com/voice/
http://www.blogworldexpo.com/

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
September 3, 2008: 6:47 pm: Privacy

I spotted an article today on a new service for anonymizing your phone number. It lets people you call you while to keeping your number private.  The article is “Anonymize your phone number with LetsCall.Me” over at CNet by Josh Lowensohn  The service lets you hand out a web link and folks can input their number on that page.  The service then connects them to you without them ever knowing your number.  So I have to wonder, where is the hook?  How do they intend to make money?  Every web service is about eventually making money, even indirectly.  It has to be or what is the point?

I actually read the terms of use from LetsCall.Me and find this section curious.

You also grant to LetsCall.Me the right to use your name in connection with the submitted materials and other information as well as in connection with all advertising, marketing and promotional material related thereto. You agree that you shall have no recourse against LetsCall.Me for any alleged or actual infringement or misappropriation of any proprietary right in your communications to LetsCall.Me.

Could this mean your name, number etc are eligible to be sold on a marketing list?  Keep in mind I am NOT saying they ARE doing or WILL do this.  Just that the language makes me think they COULD. I also will say I am not a lawyer.  So best ask yours if in doubt.

The trade off might suit your needs.  I know I am a Google GrandCentral user.  But that service is not open to new subscribers so maybe what LetsCall.Me offers would work for you.  Just consider the implications of any terms of use for any service when handing out information you are intending to protect.

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
August 17, 2008: 12:55 pm: Location, Privacy

Today I spent a bit playing with Yahoo’s new Fire Eagle location service. It has some pretty decent privacy controls and it is taking off fast as a junction point for location aware applications. If you sign up for Fire Eagle you can get an automatic invite to Bright Kite which has good sms and email mechanisms for updating your location. It also has decent privacy controls. Such as only close friends see your exact location and everyone else gets the city.

So I tied them together and then tied Brightkite to my twitter location. While I was doing this I was surprised to see how many of my twitter followers have their exact longitude and latitude coordinates updating from their iPhone. I would wager a lot of them did not give a real thought to the privacy concerns. Or that it tells a lot of people when you are definitely not home. Worse, imagine your kids with iPhones and twitter. Raises cyber bullying to a whole new level if the bully can go straight to where they really are.

I would recommend disabling location updates and wipe the current location. Or use something like Fire Eagle/Brightkite to mask your location to a city level where it has value to you.

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
July 30, 2007: 6:13 pm: Privacy

I am sure everyone who reads online articles, blogs etc has seen the talk about Facebook being used to gather data for Identity theft. I stumbled onto one little tidbit. Amazon. Would you believe that your birthdate (minus year) and email used for your Amazon account shows up publically to everyone by default?

You should log into your account. Click Yourname’s Amazon the click the “Your Profile”. Make sure to edit it and change your email and birthdate lines to show for you only. Then on the right side do the view page as seen by Everyone. I sure hope I accidently set that and it was not Default.  If it was default Amazon ought to be ashamed.

Amazon Profile

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
June 27, 2007: 7:33 pm: Privacy

I previously posted about having to make sure we have something in place to protect employees from misuse of the new surf control deployment. Here is a sample of what I went with.

Employee records and data which includes, but not limited to, telephone use,
cell phone use, computing resource, video surveillance and Internet use, are
to be handled with the extreme sensitivity and confidentiality. Management,
or others requesting access to this type of information, must submit their
request to the Human Resource Department location for which the employee in
question is based. All HR-approved requests must be then be also approved
by the Corporate Security Officer. The appropriate local IT Department must
provide all requested data to the local Human Resources Department, who in
turn will provide this data to those initiating the information request.
In reviewing all data and record requests, the HR department must assess the
appropriateness for the individual requesting the data, as well as the
relevance of the data being requested.

There are occasions where employees are unavailable (e.g. vacation) and a
manager assigns a stand in. In these instances where no investigation is
involved the manager must submit a notification with duration or access
required to the Human Resource Department location for which the employee in
question is based. Human Resources will review the appropriateness of the
temporary access. HR-Approved requests will be sent to the local IT
Department. The IT Department will send notification of access change to HR
and the requesting manager. Access must be removed at the end of the
assigned duration and confirmation sent of the removal. If the requesting
department is HR then they must obtain approval of the Company Site manager.
If any information is discovered that relates to policy or legal violations
it must be immediately brought to the attention of Human Resources and the
Corporate Security Officer notified.

There are occasions where managers may request site entry and exit logs of
their employees for use in time and attendance tasks. This is accepted by
Company as a standard tool to ensure employees receive proper compensations.
Each site may determine its own policies concerning requesting and receiving
this information.

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
May 21, 2007: 5:30 pm: Privacy

Today I got my first new Surf Control box up and running at work.  During the configuration I noticed a few things about some employees I did not want to know.  So likely I will make it policy that one IT person per site is designated as the surf control admin with their backup being the designated admin from another site.  Those folks will be trained that only if something is requested through Human Resources can personally identifiable reports be generated and given to management.  Generic usage by volume, category etc is ok.  I just do not want this to turn into a witch hunt by supervisors or managers.

If it stays an issue I may mandate we redo our installations to work only in Privacy Mode.  This requires two passwords be entered to expose user details.  This is expected to usually be a management and labor representative.

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share