Technology‎ > ‎

Best Practices


Social media and shopping malls

posted Mar 8, 2016, 4:22 PM by GamerDadster Video Gaming   [ updated Jul 9, 2016, 8:14 PM ]

Public Speech, Private Conversations, Social Media,  and Freedom of Speech; can you tell me the difference?

So what is this about really?
Actually, the whole point of this article is to help you protect yourself in the cyber world, and not to
educate anyone on the art of conversation, but who knows?  There are some interesting ways to protect
yourself, and I make no claims that I know everything, or if you do any of these things you will be 100% safe from the evils of the Internet.  First, I will give you an idea of my thoughts on public speech, private conversations, social media,  and freedom of speech.  At the end I will give out a few ideas and links on what you can do to protect your privacy.  If you don't protect it, they (governments, large corporations, evil people) will be more than happy to take it, and then who knows what's next?


Public Speech
So let's start with public speech, public speaking, or public conversations.  There are many definitions, and feel free to look at the wiki version I've provided.  My definition is anything said in a public place between two people.  This simply means you, and a second party, or second person.  Although you would think it is a private conversation, is not, because depending on the country, as a party to the conversation you can record the entire conversation legally.

"Legislation in Canada protects various privacy rights, but does not prevent Canadians from recording their own conversations with others" - source:  http://www.legaltree.ca/node/908.

If you are talking to yourself, there might be other issues, but even that would be considered a public conversation for all purposes.  My point here is anything said in a public place even between two people should be considered a public conversation.  So if you are walking through a shopping mall and yell out something positive or negative, do you honestly think that it will remain off the public record?


Private Conversations
Interestingly if you search for private conversations you don't get much.  Please don't refer to anything on Urban Dictionary either, that is a completely different matter!  My definition is simple, it can be many people, but I feel that more than one person isn't really a "private conversation".  Even in those circumstances, it may be private now, but in the future will they disclose it?  Are they recording the conversation, who knows?

Here are two interesting articles on conversations, and being overheard.  If you are in NY, be careful, your previous conversations might be here!  The website is called "Overheard in New York".

Social Media
My view of social media is kind of like walking through a shopping mall and yelling out at the top of your lungs everything on your mind; you should not be expecting privacy.  Remember, just because you are at home or using your phone, or just sending information or photos to family or friends...you are still using a public service and so you should always consider it public.  Once something has been put on the Internet in any form, it is there permanently.  Data, websites (https://archive.org/web/), traffic, and any connections made are almost certainly monitored. Count on it.  You can be pretty certain that every country does this including Canada eh!

Freedom of Speech
Well, this one is a little more interesting, and everyone has to be very careful.  Although freedom of speech is a right in some countries, not so much in others.  Further, what may be considered normal cultural norms or acceptable conversations, in other cultures may not.  Religion and Politics are top of the list, there is lots out on the Internet about those; here is one example, and here is another on dealing with the subject.

My view on freedom of speech is simply this, if you say something like I am in this article, does it add value?  Is the purpose for education?  Does it directly enrage and inflame someone or some group?  What is the point you are trying to achieve, does it help anyone but yourself?


Encryption
So privacy and the Internet are almost mutually exclusive, so let talk quickly about encryption.  Think about this, just because it is encrypted right now, does that mean it will be in five years?

Why do I say that, well, Internet traffic of interest is almost certainly capture and archived for future review and decryption.  Computing has changed significantly over the years, errors, bugs, back-doors, and all the other types of vulnerabilities are detected in code everyday.  This now means that the data can be easily decrypted, remember the SSL vulnerabilities of years gone by?  And then there is the matter of this little computer from D-Wave, that Google, NASA, and Michigan State University are working.  I would not bet against anyone who says that this system will kill encryption...so, is anything on the Internet between two people really private any longer?


What can you do about it?
There is lots of information out there on privacy, my answer is simple:
  • I never give out personal information that is of value.
  • If you find information of mine on-line, are you sure that it is accurate? Does your have to be?
  • Have a second email account for web sites that require an email address to register.
  • If I send something in any manner, I expect that it is now PUBLIC.
  • If I want to talk to someone, I try to meet them and have a real conversation.
  • Post as few personal photos on-line, especially that of children.
  • If you post picture, make sure there is no meta data, especially GEO-location data.
  • Turn off your GPS!
  • And most importantly in my mind: Holidays are great, take as many photos as possible for your memories, but post NONE WHILE YOU ARE AWAY...unless under an alias.  When I do, I have already returned and post them as I go through and have a chance to verify each photo.  This makes the holiday last longer, and gives people of questionable moral less opportunity to hijack your vacation.
Not exactly social media, but related:
  • Never use public WiFi unless in an emergency - make sure you have a firewall.
  • I NEVER do Internet banking.  Tellers need jobs too!
  • Any on-line purchases are done on disposable (refillable) credit cards.
  • EMAIL, all the same rules.  Email is SOCIAL MEDIA!
Here are two related and interesting articles on the discussion above.

Rebels and Vulnerabilities

posted Dec 19, 2015, 9:02 PM by GamerDadster Video Gaming   [ updated Dec 23, 2015, 9:35 PM ]

Star Wars and IT Security - The Force Awakens
I had the distinct pleasure of seeing #StarWars Thursday night at an advanced screening presented by several IT companies including #OPTIV [f1] and #Checkpoint [f2]. I came away with a smile knowing that I am part of the Rebel Alliance that is in a never ending fight against the Galactic Empire and the Dark Internet fighting their scourge, the likes of Darth Vader [f3], Dark Avenger [f4] and so many other forms of vulnerabilities and viruses.
Helping the Alliance...
In all my years of IT and IT Security there has always been many weak links just like the infamous thermal exhaust port [f5] that can bring down any system. I have long concluded that our largest weakness has always been not properly training our front-line people on the war, our users. Further to that, we are always trying to combine too many systems, or not using system zoning or proper 
placement in order to save a few bucks. In many cases this leads to short term gains which is intended to make someone look good, or to get that needed check box on their list.  Inevitably this results in problems, and everything eventually comes crashing down.

Creating a new weapon in the war!
When a home is an easy mark it will be taken advantage of, made more difficult, a criminal will move on to an easier target. Same applies to IT, there will always be a better mousetrap, a smarter virus, and better hacker, but there are so many ways to mitigate many of the problems. The first place to start is with user education, followed by updating poorly written software with top notch Open-source software [f6] or commercial applications. Below are my top ten wishes that I'd like to implement in an ideal work environment that had tons-o-funding available.

GET IT DONE, NOW NOT TOMORROW
There always has to be a starting point, so why not today? Plan on getting it done, and if you are so close to completing your goal, sometimes all it takes is that extra 10% to arrive at that milestone. Remember that what you achieve today can make tomorrow all that better, easier, and more productive.

Take that first step. Let me know how it goes.


Top ten IT wish list
1) TRAINING...TRAINING...TRAINING...DID I SAY TRAINING?
Most organizations when engaging new IT hires places those new resources to work as immediately as possible. In many circumstances that may be fine, however, when those new hires have access to systems that are mission critical, or systems that have access to those same systems, it should give rise to pause.

A new hire always introduces additional security risks, and despite what is on the hire's resume, you really have no idea of their true IT abilities or intentions. Ideally these new hires need to be properly supervised until they fully understand their role in the new organization. What might have been deemed an acceptable or learned IT process at some organizations, might be a risk in other organisations and would need mitigation. Give your rebels the proper tools to help the fight.

2) TRAINING...DID I SAY USER TRAINING?
It never seems to amaze me the number of IT experts there are out there among our families, friends, and colleagues. More interestingly, most of these people have never studied, trained, or practiced IT as a profession. Pay close attention to those new hires, they can be even more dangerous...a little knowledge is a dangerous thing. Then there is the other side, people who have no IT experience, that will unknowingly open an infected email and create a problem. IT admins will then have to clean it up, only to have that same person open a similar infected message the next day. Is it not easier to teach what is best done and not done before it is needed?

3) Properly allocated budgets to keep the alliance running!
It is rare that you can do more with less, automation in many cases can help with this, but rarely can there be an additional gains on systems that have already been automated. Replacing old systems with new ones can be perceived as a savings, but there are always additional costs that are almost always never factored into the equation. Additional training for users, administrators, and customers in some cases will result in those undocumented costs. In some cases there are no options but to upgrade systems for many reasons including obsolescence, and this might be the time to look at alternatives such as FOSS (Free Open Source Software [f7]), but again, remember that even though it is free to get, that does not mean it is free to operate properly.

4) Appropriate levels of staff to research, maintain, monitor, and action alerts
In all my years of IT in both the private and public sector I have never heard any organization asking IT managers to hire more staff to make sure that all systems are properly monitored and maintained, and while that process is underway, hire a few extra just to make sure that all alerts are read, and actioned. IT staffing has always been problematic in my mind, savings at one end is always offset at the other end.

5) Properly Zoned and Classified Systems
There is so much that can be said and done in this area, but in a nut shell it is important that data you are attempting to protect is properly classified. This applies to both the Private and Public sector. Once you have an idea of what is of value, and what needs to be protected, then the appropriate safeguards can be put in place. If the data is of such important value, does it need encryption? Is that information connected to the Internet? Do the servers in your organization have access to the Internet? Why? Do they really need access? Do you use a proxy and URL system to limit user and systems access to the Internet? White listing, black listing? UTM? IDS/IPS? There are so many options and permutations that can help you reach your goals if you clearly understand what it is you are trying achieve and the value of the respective data.

6) Best in class
There are times that you can save, and there are times that the need is for best in class. Yes, you can save money by using an alternative in some cases instead of first class products from the likes of #Checkpoint [f2], #Cisco [f8], #Fortigate [f9]#Sophos [f10]and a few others, but it is up to you to determine the risk, comfort level, and availability of the system. Cost of the system is not always key, if it is a mission critical system, availability of support might be key, and that normally does not come for free. Support on a 24/7 basis for all suppliers costs money, and is therefore reflected in the cost of the systems. The Open Source movement does create best in class products too, but just remember that support is usually a trade off at 1:30AM during a system crisis.

7) Software updates
I don't think I need to go into many details here. Patching is a top priority, and upgrading to the latest versions of operating code when possible while ensuring that the systems are still meeting the needs of the organization is key. I will take a moment here to make reference to item #4 on this list, patching of systems usually is the first thing to go when staffing levels are low, and although the systems might be stable, and patched as much as possible, they might still be vulnerable.

8) Sandboxed users
Do your users really need Internet access from the corporate network? No, then restrict Internet access, or use whitelists and blacklists. Perhaps instituting a browsing system that can allow your user community to access the Internet, but be far more secure by using technologies such as a terminal server, a browser appliance [f13], Citrix [f14], or proxy server in a restricted zone. Just remember that at one time it was necessary to allow personal calls on the corporate phone system so that families can communicate and have peace of mind, at this time it happens over the Internet through instant messaging, VOIP, and video calls. BYOD might be part of that solution.

9) BYOD [f11], [f12]
Bring your own device is a growing trend. In my opinion if your organization's policy is against this benefit, they are wrong. Lets face it, these days you can isolate BYOD traffic to a segregated network and still allow the user community to receive family updates. DIY types will not need to think twice before trying to plug in a wireless access point. Will they still need to use their desktops to connect to external email systems and other types of services with this benefit? In my opinion this must be clearly communicated as a benefit, and have similar safeguards, responsibilities, and limitations similar to the corporate network.

10) CANI - Constant and Never-ending Improvement [f15], [f16]
When we learn something as an organization, we need to document it, and make it part of the organization's culture and processes. Make sure that that same information is communicated to new hires. Apply the same philosophy to those in the know, and to the systems that support the organization.


Footnotes:
  1. https://www.optiv.com/ Linkedin alternative: Optiv
  2. https://www.checkpoint.com/ Linkedin alternative: Checkpoint
  3. http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=337 (Darth Vader)
  4. http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=105198 (Dark Avenger)
  5. http://starwars.wikia.com/wiki/Thermal_exhaust_port
  6. https://en.wikipedia.org/wiki/Open-source_software
  7. https://en.wikipedia.org/wiki/Free_and_open-source_software
  8. https://www.cisco.com/
  9. https://www.fortinet.com/
  10. https://www.sophos.com/
  11. https://www.priv.gc.ca/information/pub/gd_byod_201508_e.asp
  12. http://www.tenable.com/solutions/mobile-device-security
  13. https://solutionexchange.vmware.com/store/products/browser-appliance
  14. https://www.citrix.com/products/xenapp/how-it-works/application-virtualization.html
  15. https://en.wikipedia.org/wiki/Kaizen
  16. https://www.linkedin.com/pulse/20141022024211-98966181-constant-and-never-ending-improvement

1-2 of 2