miriku.com

Right now social media, security wise, is exactly where the internet was in the mid 90s: we’re excited, we’re adding functionality, we’re connecting to everyone, and we’re assuming that everyone else is as excited and good willed as us. In other words, we’re trusting.

Much like early websites, built by enthusiasts (in all the negative connotations of this word), our current approach to distributing information about us has very little security precautions. This is partly because we don’t really understand the scope of our actions, partly because what we’re writing is free content for the social media sites: the more we write and the more people read it, the higher the value of their website.

This isn’t an attack on any specific protocol, site, or network, though I will discuss a few, but rather a talk in the general about our attitude. I realize I’m writing this 1 day after the launch of Google Buzz, but all of these vulnerabilities existed previously as well, Google ubiquity and attempt to centralize all of it makes it more obvious.

One great example of trust is the hash tag mechanism on Twitter. Companies are using hash tags to foster conversation about themselves without any thought about the lack of moderation in the medium. A corporation that would instantly file a cease and desist against a website that in official looking type made claims in it’s name, is more than happy to lend legitimacy to “its” hash tag by having reps post it to it from their twitter account. This creates a trusted space with absolutely no access control as anyone can post using with any hash tag.

If an attacker waits for this company name hash tag to achieve legitimacy and a crowd of followers, all she has to do is to push enough posts quickly enough to cause a (pardon) buzz and an instant bad press rumor is launched. There are plenty of forums that can (and off the top of my head 4chan, digg, and reddit have) push enough posts to create a trending rumor out of the blue, especially as the retweets from confused readers begin and take over the process. Since Twitter provides an API, this could also be done by a bored single person who created a few thousand accounts for himself with a capcha breaker and can write scripts. By endorsing these open hash tags, companies are basically giving the world at large the ability to speak in their voice.

Companies also have taken to displaying screens with their hash tags displayed as scrolling searches in their lobbies (or in one case in San Diego, on a large TV behind the bar). The lack of moderation means that anyone can post ads for their competitors, or simply embarrassing content in order to hurt the brand name. There is no way to stop this content from being posted to the hash tag, and short of closing the feed, no way to remove it. Some of the software goes as far as displaying images inline, ways to prank this are left as an exercise for the readers.

On the complete opposite side of this target space be personal social media attacks. A casual glance at facebook, twitter, and buzz feeds shows that we treat these websites like personal conversation tools, not billboards for all to see. Things that we’d never plaster over our house, like “I’ll be gone on vacation for 7 days so no one is home”, we’re more then happy to put online on a site that also has our address. We fight like mad against the invasive nature of omnipresent cameras while tweeting our exact location every 30 minutes in order to get Foursquare points, with absolutely no sensation of irony.

Google Buzz, which by default appends map information if posting by phone, makes this even more obvious. A chatty person involved in a back and forth might leave a complete trail of where they were at near constant intervals in their day. While I grant that this lack of privacy is not catastrophic in and of itself, a criminal with a smart phone and access to the “local buzzes” feature would be able to have up to the minute reports of who is where, who just went to the atm, who is bringing home a new expensive TV (and where exactly are they plugging it in), and with a trip to the airport, a constant feed of people excited to be going away for a few days.

The last in particular highlights that we have not reached the point that caused the tip towards security on the net: automation of attacks enough to let every Joe the Script Kiddy do harm. Currently an attacker would have to go to the airport, set up a laptop, pull buzzes of people leaving or arriving, compare it to their previous buzzes and figure out their home address. However, all of the above can be converted into a simple application which performs all these steps in a few seconds, something which we’ll playfully call iBurglar. Once it’s an easy to use app, available for download, is the point where we might start to see action from the social media websites.

We also do not realize how permanent the things we write on these website are and how trivial searching them has become. A search on social sites for phrases related to drug use (try 420) shows people more than happy to discuss illegal actions in criminally implicating ways. And this time, unlike phone or txt messages, we can’t even begin to claim an expectation of privacy, we are literally posting it for everyone to see. There was recently a news story about a bail-hopper who was caught because cops recognized the resort in the background of his new Facebook profile photo. This didn’t even require a warrant, it was a public photo.

It’s easy to dismiss examples like that, and all the previous ones, as the fault of the users, but users assume privacy and assume good intention. Currently the social media is a giant space completely open to attack, and our current open-by-default approach is not sustainable. It is the responsibility of social media designers to create mediums that steer users into safe behaviors and quite literally to protect them from themselves, while at the same time balancing the needs of their shareholders and advertisers. It’s an interesting future, no doubt.

just a series of facts i picked up from reading the summaries of the proceedings (this is not a summary of the trial)

- george washington was sterile. this made him a more popular choice for president since he couldn’t have a “dynasty”

- old testament jews practiced legal polygamy

- as part of the “not legal be gay in public”, people were arrested for having too long or too short hair, pretending to dance with someone of the same sex, and in one case, for being two men discussing opera.

- from the above, gender roles used to be enforced by the government

- for a period of time if an american woman married an asian she would have her citizenship revoked, and not gain the husbands. since asian men were never allowed to gain citizenship, the wives became effectively stateless

- from the above, marriage was and is used by the government as a punitive measure to enforce 2nd class status

- till 1975 federal government was not allowed to hire homosexuals for state posts

- the vatican is on record saying “Allowing children being adopted by gay couples would do violence to these children. Their condition of dependency would stunt their full human development”. this implies that in the eyes of the catholic church homosexuals are inferior and not ‘full humans’

one thing i did know but want to reiterate: it’s amazing how blatant it is that “protect” is a fake word. protect children, protect marriage. that word has a specific meaning: you ‘protect’ from evil, you ‘protect’ from criminals, you don’t ‘protect’ from learning about someone else who you respect and value as a fellow human being

it’s also very telling that prop 8, the anti-gays, are actively attempting to block the inclusion of pro-prop 8 ads, including ones they themselves wrote and shot. almost like they are ashamed of them (legally, speaking of course)

stephen hawking, in a lecture is saying that the human race has ‘entered a new stage of evolution’, in that we are now taking control of our genetics directly. yes and no, his point is entirely accurate and valid, but his word choice is wrong. people abuse the word evolution because it’s the only one they know to describe change (perhaps ‘improvement’) of a population over time.

look, you wouldn’t say “bob has entered a new stage of walking, he has a bike now”, you would say “bob doesn’t walk places as much, he now bikes”. similarly we’re no longer evolving, we’re now doing something else. coin a word, or just say ‘custom designing ourselves’. evolution requires natural selection and that force nowadays has very little effect on humans, in a world with health care and birth control.

we can’t understand the future by simply blindly shoehorning our reality into outdated concepts and terms. so yes, partially this is me just being a stickler on word choice, but partly we also need to be aware that we shape our thinking in terms of things we know, and there’s no reason to give people wrong conceptions on what’s going on.

in one of umberto eco’s collections of writings he mentions seeing a man in a restaurant who during dinner would loudly talk on his cellphone about large (iirc mafia-related) business deals. the man’s intention was to communicate that he was an important person of significant power. eco then points out that the man got one thing precisely wrong: an important person would never be interrupted during dinner.

power is about being able to do what you want, when you want to, not simply being responsible for greater and riskier things.

i recently thought about this upon receiving a random internet alert. i spent a large chunk of my life thinking that to be more technologically advanced you need to be more hooked up, with all your programs reporting status updates to you constantly. in reality this does not empower you, just scatters your attention.

instead, i’ve now actually made an effort to disconnect myself and hide things away from myself. i have enough trouble concentrating without a periodic ‘beep’ that, upon investigation, will inform me that someone has become the mayor of a new eatery in foursquare. my phone and computer have no twitter/facebook/rss alerts at all anymore, instead i read those when i feel like it using web browser bookmarks. my phone now receives nothing that makes noise, except calls which still require immediate attention unfortunately.

my only exception is emails that go to my work account show up in my computer dock. that’s a work obligation. nothing else does.

technology should never interrupt you. technology should politely wait for you to look in it’s direction, then quickly, clearly, and efficiently say to you what it has to say, and when done move back and wait on the side.

if there is one thing that programmers can almost uniformly be accused of is coding for the best case: wanting to write programs designed around all things behaving correctly every time.

one random facet of this is the assumption that crowds and their voting can be trusted to behave in a productive way. let’s say you have a website where people vote on who is the best poster / reviewer / uploader / whatever, and rewards them in some way. simple to implement, simple to test, and you’re done, right?

well, never underestimate the willingness of crowds to behave maliciously. getting 1000 people to do a prank on a system like that is trivial, and it’s even easier to get one person with a bunch of zombie machines all over the planet.

attacks like this are really common: websites raid amazon review / recommendation pages for fun, 4chan obliterated a “person of the year” TIME poll, and twitter “trending topics” seem to be raids more often than not.

the last one in particular strikes me as funny. businesses are now using personal hash tags to let people talk about them using hashtags, and in some cases display the results real time in the lobby or on their page. i’m astounded at this. all it takes is one message board post asking everyone to twitpic porn to the hashtag and voila, instant PR disaster.

always program for the worst case, not the best case. unless you have some method to block them, assume that at any point in time there are thousands of bored suburban teenagers who would love to abuse any ranking system you have for laughs.

the catholic church decided to bar a congresscritter from communion cause he failed to vote against abortion. to be honest i hope this practice takes off as america still has a huge bias against atheism and this makes it clear that atheism is not just not believing in god, but also a conscious decision to eschew religion as the gods available all seem to behave like very human spoiled children

in less serious, i heard a cute response to “god asked me to pray for you” which was “well tell him to man up and talk to me directly and not go behind my back like this spreading rumors”.

geocities got shut down. i tried to find the two websites i had on there but for the life of me couldn’t remember anything about them. no idea what the urls, subject matter, or title were, and really, i probably wouldn’t have recognized them even if i saw them. it’s funny, all the various liquidspin.coms i remember at least sorta clearly, but zero for the geocities/angelfire stuff. i don’t think i was quite self aware of my own web-actions at that point

so yahoo bought that site for 3 over billion dollars. at the time that was the content center of the internet. this was the future, this was user generated content, a beginning of a new world where we all build our own amusement, learn, and share.

so went wrong? at that point it didn’t dawn on anyone that none of us want to create content. not really. that’s work, requires effort to maintain, and skill in setting up in the first place. we don’t really want to create content, we just want to post pics of our cats, say what we had for dinner, and link people to funny videos. we’re a consumer society, not a creator society. don’t bet against that.

- -

this is a pretty funny video, i just had dinner that was potato with some random fixings, and here’s a pic of my cat hanging out under a stool where he can still comfortably keep an eye on his food bowl:

Loki under stool

objectivism is popular cause 95% of us think we’re the top 5% smartest

so life is a performance. yes, we choose our role moment to moment, and yes it would be disingenuous to say that our choices are really limitless. being human and herd animals we are limited but what we feel is the limit of what others expect of us.

but that’s a tangent though. life is a performance, and as it is a performance there is a certain quality to it that we call authenticity. it’s hard to pin down, but i ran across a few things that got me to thinking about it

so let’s start by talking about alt-sex cause people love alt-sex or so i’m told. at the defcon jeopardy game (drunk social event for hackers) there was a girl there whose job was to basically dress up like a dom and hit people who answer incorrectly. she (and all the previous incarnations of her) did a great job, people had fun, cheering was had, but at the same time it was clear that she wasn’t a domina, not really, and i was wondering about why exactly.

it’s not a question in context in this case, i’m not speaking of attempting to subdue a room full of boisterous drunks, i’m talking about the reaction i had as she was still walking in before hand. it was one where the instant reaction was  ”aww, sweetie, i know what you’re going for and you certainly dressed the part, but you’re doing it all wrong. no idea how, but you are”

the dom thing isn’t attire or any physical action, in the end it’s something that’s an immediate emotional reaction. you either instantly understand upon seeing the person, or you don’t. if they don’t broadcast this authenticity in the first moment, there is no way to sort of back up and try again.

i guess i don’t mean in the first moment, but in the first moment it’s “turned on”. it is a performance and an act. keep in mind that those words don’t mean it’s “fake” to me, just that it is something we consciously choose to do. it’s fake only in the sense as our performance of being students, teachers, parents, or children is fake just because it’s possible for us to theoretically not act that way.

and i’m not saying that this is about some magical quality that comes from being in a culture. that’s stupid. it is absolutely possible to fake the performance with enough authenticity to make it real to anyone, but you would find that as you do so, you would no longer be faking it. yes, it’s catch-22ish. as soon as you pretend it well enough, you’re no longer pretending.

example 2: i was at a show not too long ago, 3 bands played. 2 of them were ‘normal’ to me, 1 of them the singer and frontman never felt like one. he dressed like a frontman, he spoke one, he sang into the mic, but at no point did i believe it. again, the authenticity wasn’t broadcast.

this is something i’m a bit hypersensitive to now that i’m fronting the band for real. the live show is a double performance, the band pretending to be the band, and the audience pretending to be the audience. if the singer can’t act like a band, soon the audience will feel stupid acting like an audience. there’s words that we use for it that vary from genre to genre, ‘energy’ being a common one, ‘feeling it’ is another, ‘getting us’, whatever. in the end it’s ‘we believed your performance, you believed ours, and we chose to have fun tonight’

another example: nerd core. yes, i’m taking, you kicking and screaming, from bdsm to geek rappers. let it go.

two rappers: mc chris, and mc plus+

mc chris:

mc++:

(what the hell, we don’t get pics of the girl dom but we get two nerd dudes?)

life’s a bitch, deal with it. btw, i originally wrote “pasty white dudes” but having googled him i now realize that mc plus+ isn’t very pasty. thanks for making me lose a great phrase.

so here’s the thing. i believe mc chris. and i don’t mean that i take what he says literally since that would include believing he owns a batmobile with a mcdonald’s inside, but the authenticity of his performance is there for me. i’m saying that when he talks about being a geek, i emotionally relate to him. i don’t feel it from mc plus+. and i’m not questioning mc plus+’s street cred, inasmuch as that term can possibly apply to someone who not only never claims to spend time on the streets but in fact claims to never leave their bedroom. i really believe he is a geek in real life, but his performance of being a geek doesn’t feel authentic.

“how can you possibly come across inauthentic at being yourself?”. because yourself is an act. because this requires performing a swagger and not just being geeky. and because there is more to this bravado than simply stating it and having the balls to hold a mic in front of a crowd of people, and that something is enjoying it to the point where you forget you’re only pretending to be enjoying it.

fourth and last example, this guy:

tim minchin performing “if i didn’t have you”, at the secret policeman’s ball.

btw, that’s officially my favorite love song of all time now.

there’s a geek culture thing to this song, like him trying to explain the word special as he’s using it, those 3 lines have more honesty in them than pretty much all other love songs combined. not just in what he’s saying (cause for all i know whitney will in fact always love you and is just as truthful), but in how honest his performance of it is. it’s someone who first screws up by saying his girlfriend/wife isn’t special, then tries to dig himself out, then realizes that even more importantly he’s now being ambiguous about what he meant by the word ’special’ and the best way to explain that is with statistical analysis.

this post probably would here go on to start talking about dimitri martin and his palindrome, and then finish on comparing the comics smbb and “the warehouse comic”, but at this point i finished showering and stopped pondering this.

oh, and also something about how our ability to detect authenticity being in part our exposure to the role at hand. i’m positive i have a different standard of authenticity of a domina than 99% of defcon, probably 95% one way, and 4% the other way. or thereabouts.

here’s a hacker jeopardy pic in either case:

the phrase “hey, nice ____” really seems to mean “oh hey, i just noticed you have ____. i was just thinking earlier that i would like to have ____ and you reminded me”

most recent was me taking my burning man bike onto an elevator. the thing is dirty, the chain looks like it was processed through a horse, there’s duct tape holding the left gear shift together, and the thing is a $30 bike to begin with. a random guy on the elevator looks at it and says “nice bike man”.

no it isn’t. a cursory glance would tell you it’s not a nice bike in it’s current state, however a similar cursory glance at you leads me to think that perhaps you were a person who was just thinking that biking sounds like a good idea, what with gas prices and exercise and all.

i have similar attitude to people who say “nice tattoos”. i think it’s more often than not a mental follow up to “oh hey, i sort of want tattoos and you look similar to what i’d be shooting for, image wise”.

- -

apparently today is “over-analysis of harmless societal rote performances”