On 9/07/2013 4:18 PM, Rick Moen wrote:
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
[2] http://twit.tv/show/security-now/404 -- How Facebook Monetizes (May 15 2013)
One's faith in this as a credible source of information is somewhat impaired by their citation of third-rater IT drone Steve Gibson, of all people, as 'the security master'.
It may not be the best source, by a long way, but it is a source that often has /some/ gems. Steve Gibson often says things that infuriate me because I just plain know he is wrong, but on the whole, he isn't that bad.
Anyway, the only surprise in this subject would be the notion that anyone might be unaware that Facebook are selling its users as product, which they are most certainly doing, indeed. It suffices to visit any Facebook page and check using NoScript to see the array of tracking methods they throw at people, and that aspire to track even logged-out users.
Yes, and with the shadow profiles, they will link up ALL the email addresses that they can find for you from whatever source gives them up willingly (even if naively willing).
Additionally, one might point out that the smartphone market's whole 'start with a pproprietary, vendor-controlled OS, then install and run a variety of untrustworthy codebases from nowhere-in-particular' user culture is essentially hopeless, i.e., there is -no- prospect for reasonable security, having thrown that away at the beginning. And that's not including their other obvious data-mining measures.
Yes, I think you are right there; such a pity ... but I'm not going to resort to my old Palm VX any time soon.
The core of my computing centres around the Debian server in my garage (the linuxmafia.com box), which is a fine platform with a readily understandable and controllable security model and which I can rely upon to work for me and not three-letter spook agencies.
;)
[1] Although it's an opaque proprietary OS, PalmOS as implemented on classic PDAs like my Palm TX is a single-tasking, standalone OS, hence it has a simple, readily understood threat model. The killer app in my opinion is Martin B. Pool's Keyring, http://gnukeyring.sourceforge.net, an open-soruce 3DES datastore for security tokens. I keep anything and everything security-sensitive there, airgapped from all networks.
Now known as just Keyring for Palm OS, they've dropped GNU in the name, but the SF link still needs it; it would be good if it redirected to: http://keyring.sourceforge.net - oh well. I don't trust 3DES and 112 bits doesn't seem enough for my liking, that's only really 2DES anyway. It also looks like your password is crackable against the MD5 hash.... where the 32 bit random salt comes in seems quite unclear to me from the description. KeePass and TrueCrypt are what I use (for now), both seem much more secure than Keyring for Palm OS, albeit I don't use it with an airgapped device. Cheers A.