Materialism doesn’t matter. There, I’ve said it. Nothing material, nothing that you can touch, matters… when talking about computers. See, I’m not that evolved.

Between Christmas and New Year’s Eve, my laptop got stolen on the train. Last summer, due to a friend of mine “borrowing” my laptop at an event without telling me, I realised that I better start backing up if this were to happen again. So, on the 27th of December, a day before my laptop actually disappeared, I had a full backup made via Apple’s Time Machine, as part of my weekly routine.

And now, some hardware expenses later, one of which was a gigantic (640 GB) laptop hard drive by Western Digital which I’m loving, I have a different Macbook, but with exactly the same data I had before and am running it like nothing ever happened. And I’m telling you, I didn’t like spending money on this, but having all my data back feels like that money was inconsequential. Backups rock, as does OS X for having backup software built in!

OK, philosophically speaking, I’m still being materialistic about my data. Clearly, I’m not “if you could take one item to a deserted island data, what would it be?” material. But it’s kind of a revelation to me that hardware (and software) and money really is much, much less important than data.

I also hope that this inspires you to make a last minute resolution for 2010. Always back up your data because you never, ever know when it might just be gone.

Vincent

Like

Unlike

This weekend, I was faced with the important principles surrounding the owning of gadgets, such as my current laptop. I should add a disclaimer, I’m at an age where I have to be super-responsible for my life and there really is little excuse to make (many) mistakes. And when I woke up in a hotel-room without my laptop, I wanted to bang my head against a wall (if my headache wasn’t already big enough). Luckily, it all worked out in the end, but it sure gave me a reality-check.

So gadgets, by which I mean anything that costs in excess of €200 and more probably in excess of €1000. How do you keep your gadget habit safe? Three things that really-really-really matter:

• Common sense: I don’t need to explain this much, but not leaving expensive stuff unattended is probably rule 101 of common sense. That said, we are all human and common sense will never protect us 100%.
• Backups: I’ve had 2 moments of stress regarding my laptop in the last month. The first was installing Snow Leopard, which didn’t make it very clear whether I was upgrading Leopard or formatting the whole drive. Luckily it was the first, but it was stressful for about 30 min. The second was when I couldn’t find my laptop waking up and had 2 hours at breakfast to reflect on “how important are those pictures/documents/memories really?” Nothing with bits in it is really life-changing in my experience, but still it kind of feels like an extension to our human brain.
• Theft insurance: I currently pay about €200 per year on this, covering about €5000 of property and, at my age at least, it’s a real stress-reducer, especially with things that can easily get lost. You can think logically, you can backup, but having to buy a new laptop out of your own wallet kind of sucks.

So, just a short message to all the gadget lovers out there. Technology rocks, but so does a little insurance. If you have any ideas of your own of how to keep your gadgets safe, feel free to share in the comments.

Vincent

Like

Unlike

The more and more I’ve started to think about it, Facebook’s applications are an exercise in personal information anarchy.

One evening at a bar, we were joking with my friends that it would be quite trivial to make an application to Facebook called “How sexy is your social security number?”, which would compare your SSN, bank account and other personal information in a “fun” way with those entered in to the application by your friends. The strangest thing about this is that this would most likely be in accordance of all Facebook’s privacy terms.

Couple of days ago I was quite surprised to see when my friend showed me how hot, geeky and so on I was ranked by, I suppose, my friends. The problem is that I’ve never used or ever given any permission for this application to use my profile picture or my name.

I’m pretty sure that in any European country, this would be illegal. Conveniently Facebook is located in USA, where privacy is somewhat looser.

I’ve not given my permission to these people or these corporation and their applications to use my picture or my name. Yet, because they discard any business ethics in their pursue of Google Adwords income, they cannot respect any privacy conventions. If people cannot compare all their friends (users or not of that comparison app) they will not use that application. There has to be enough information in the application for people to be interested in using it.

Because I do not use these apps, I cannot set any privacy settings in my profile. In their Privacy Policy, Facebook states that “If you, your friends, or members of your network use any third-party applications developed using the Facebook Platform (“Platform Applications”), those Platform Applications may access and share certain information about you with others in accordance with your privacy settings”. Yet, because I don’t have those applications added, I cannot control that use of my information. Facebook washes its hands by saying that “while we have undertaken contractual and technical steps to restrict possible misuse of such information by such Platform Developers, we of course cannot and do not guarantee that all Platform Developers will abide by such agreements”. This is quite similar to the defence YouTube uses when defending all the material on their site. Thanks to DMCA’s safe harbour sections, they can easily claim that they can’t be held responsible for their users actions. I don’t believe Facebook has the same defense against their third-party application developers pimping out people’s private data without their consent – their friend’s consent doesn’t count. They can use DMCA in their defense when people upload photos of featuring other people (identifiable) without the latters’ permission (which happens, well, all the time) – but even in this case Facebook goes so far as encouraging identifying people with their photo-person-tagging function.

As a citizen of a country with quite strict privacy laws, I find it rather strange that there’s an application on Facebook where people can rank certain aspects of me without me knowing about it. Even though I’m a blogger on Tech IT Easy, the premier tech blog, I have quite a broad rights to privacy (ie. I’m not a public person). In Facebook, I’ve understood that this means that applications that I’ve not given direct permission to use my personal information (like name and profile picture) cannot use them. I think it’s not enough that Facebook tells that they’re not abusing my data, when they can’t make any assurance of their third-party applications.

I’ve not given (or to my knowledge, neither has my profile picture’s photographer) rights for these applications to use my picture, which clearly identifies me. Yes, Some Comparison Application, Inc. might pull that image from Facebook’s database, but they do not have the right to use it in their context, without my explicit permission. The point that this information is only shown to people I’ve flagged as my friends who could anyway see my picture on my profile page does not count. You can take a look at the information any Facebook Platform application can get about you if your friend happens to use that application. As Facebook tells in their privacy terms, they make no guarantees what their thrid-party developers do with your information they got through your friend. (Your friend may have waived his rights to privacy by agreeing to some stupid EULA to get his/her hands on new smileys, but his/her agreement does not extend to you, or me in this case.)

I can clearly understand why any developer would like to code his Facebook application in this way. It’s far easier to gain the needed critical mass when most of your users are part of your application without knowing it. I find this morally at least questionable. I don’t know about the culture in USA, but at least in Finnish context, I find many of the uses of my personal information outside my control in Facebook quite offensive.

As I see it, a third-party application could only call users.getInfo on me if I had the application added myself (e.g. friends.getAppUsers, users.isAppAdded or users.hasAppPermission). This of course would be a major restriction on the Facebook ecosystem as it is today for the reasons I’ve mentioned above. Right now, this restriction is left on the shoulders of the developer. And, right now, the developers seem to use those functions only to find the users’ friends who dot not have this developer’s application added and to bombard them with invites.

When I last visited my school’s library, I noticed that in the textbook section, the shelves were full of international marketing books, but there were only couple of books titled business ethics. Is it really okay to pimp other people’s private data without their consent?

Like

Unlike

Can open and free equal good? Puffy thinks so.

I had a pleasure to attend a seminar at my company on IT security. The theme for this session was among other things, application security. Now I was hopeful as the presenter was from an IT security company and the agenda looked interesting (DoS, XSS, SDLC…). Maybe I could learn something practical on these topics I’ve heard so much about? I do after all have to manage couple of projects with involve a bit of web application development.

Okay, I was impressed at first. The introduction ot the presentation was smooth and the slides were above average. Some little mistakes here and there, but I let them slip. But then, little by little, I started to notice disturing trends. For example, this guy constantly belittled free/open software. It was like in his mind it was impossible that free or open software could be better than commercial software. At one point he wondered how in one regard there even is a “freeware” software that does some things better than Microsoft IIS. Every time he mentioned that something was not from a commercial origins, but either a free or volunteer effort, he had to mention that despite this obvious shortcoming, this or that was still “pretty good”. I don’t know, maybe he was molested as a child by a chubby penguin or something, but I was amazed by this ignorance.

We went through the most common web application attacks and ways to mitigate them. When we got to buffer overflow, he was baffled, because he couldn’t understand how something as simple as buffer overflow is so common in many applications. In the history according to him, the roots to this problem were in the history of “unix” and C where it was OK if programs crashed. And how to solve this problem? Do not accept long strings. He had also noted from his own experience that buffer overflows and memory leaks were more common in Windows environment than in Unix environment, but he wasn’t sure why this was the case, it probably had something to do with coding styles or something. Also, his solutions to most of the security problems seemed to be adding some new technology. And in any case, we don’t even develop that much of our own tailored apps and it’s not like you can modify off-the-shelf software or their coding practices that much.

And so we went on with injections attacks and string formatting – do not allow strange characters. At this point I was also shown our company security principles, which stated that all applications must validate input and they must strip all strange characters, including “,”, “‘”, “+”, “%”, “@”, “&” and friends. Apparently many programs, like Excel, Word and Outlook are exempt of this rule as using these programs would be rather difficult if these programs didn’t accept some of these characters. He applauded our work on this and didn’t “on the surface” see any problems in it. Okay, maybe I’m nit-picking here, but the overall presentation was just horrible. I know I’m not expert on security issues, but I have read my share of Schneier and written a bit of PHP and Ruby.

I also learned that the term “hacker” originates from a time when computer resources were scarce and “hackers” were the guys who tried to get more of these resources by abusing systems. I believe the correct term would be “phreaker” and yes, I’m aware that much of the hacker subculture originates from them. And yes, throughout his presentation, he mostly used the term in negative way, so it is totally possible he used it as a umbrella term for all kinds of people who abuse the functionality of systems.

Now, the audience was IT managers and people who probably before this seminar didn’t know what session hijacking is or SQL injection was, but explaining these wrong, even if these guys don’t even need to know what they are anyway, was still quite amazing. I’m talking about a partner of a IT security consultancy here. Now, to be fair, he knew the basics, like the difference between identification, authentication and authorization which he constantly pointed out, and as he pointed out, he wasn’t a “technical person”, but hey, why are you giving this presentation?

Suffice to say, I left the seminar early.

Do you, the readers of this fine blog, have any experience with security experts who aren’t? As far as I know, this guy was from a reputable company and their services are most likely good and rest of their staff knowledgeable, so I’m not going to name and shame them. Have you noticed general tendency that in business world, FOSS is seen inferior to commercial software just because they’re free?

Kari is an IT project manager at an utility company and when not managing the ensuing chaos or not misspelling Bruche Schneier’s name, enjoys watching The Amazing Race and is determined to go to Australia and see a wombat crossing sign with his own eyes.

Like

Unlike