Help with an assignment?



  • I have to "interview an expert in my field of study" so that I can include the information in a speech where the audience is the non-technical people in my class. The instructor said that we could use whatever communication medium we wanted. The subject that made the most sense for a short presentation to users was web security. Would anyone mind answering these questions either here or in email? I can ask different questions if you don't like any of them. We are supposed to include a name and phone number, but I asked her if we could use an alias and an email address. I wanted to be able to mention general experience level.

    I put the questions here so you can see if you like them. I only need 5 so you don't have to answer all of them if you don't want.

     

    1. What would you consider a security warning sign when you are using a website?

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    5. what do you think is the easiest way to manage passwords?

    6. Do you think about the general state of security and the internet?

    7. Is there anything that you think users should know?


  • Trolleybus Mechanic

    @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?
     

    A popup that says my computer has 137 Malviruses. Then I know I'm being warned my security isn't good enough, and I should install the offered security protection.

    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

     Everyone seems to be willing to give it away for free to companies like Google and Facebook, rather than leveraging and monetizing their own personal information.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    Head trauma.

    @Chame1eon said:

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    No reason at all. In fact, everyone should use a separate browser for every site they visit. You can visit four whole websites by just sticking to the major browsers. Throw in a touch of IceWeasle if you need a fifth site. Maybe there's a text-heavy sixth site you can load in Lynx. Advanced users can double the number of sites they are allowed to visit by purchasing a second computer.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    Completely do away with them and rely on the honor system.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    See these questions.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    I'm performing complimentary credit-card security analysis after the show.

     

     

     

     

     

     



  • I'd recommend avoiding the use of a handle when using a quote in a speech.  You want a proper name of the individual as well as a quick descriptor of why they would be credible ("web developer so-and-so suggests..." or something like that).

     

    Edit: also you are going to get trolling answers here, but you may also get things you can use if you are lucky.



  • @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?
     

    When choosing password: "Password can not be more than n characters"

    Not using https for any login page.

    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    Not verifying the source of a message (anywhere online, not just email), and thinking that the web is a private place. It's not.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    In truth, you can't ever know for certain.

    @Chame1eon said:

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    I'm semantically confused by the ambiguous grammatical structure of this question.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    I have a good memory and a personal system for password generation, so I can't comment on any other methods like KeepAss.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    I have been online since the days of 28K8, so I kind of grew into it properly. That goes for most people here. What I see with regular users though, is that it's as if they're naive rural villagers coming to The Big City for the first time.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    My precious city that I helped build is being overrun with masses of idiot villagers and the shopkeepers are catering almost exclusively to them. :(

    (just kidding. I have a twitter!)



  • @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?
    Not allowing you to use a fake name. @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?
    Believing that you can trust anyone on the Internet. @Chame1eon said:
    What would make you think that a web site is likely a safe place for your sensitive data?
    Low IQ.  @Chame1eon said:
    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?
    This question makes no sense.  You're not a Nigerian Prince, are you? @Chame1eon said:
    5. what do you think is the easiest way to manage passwords?
    Write them down and carry them with you everywhere you go.  However, easiest != best. @Chame1eon said:
    6. Do you think about the general state of security and the internet?
    Terrible.  Worse than terrible.  However, like everything else, the Internet is fine. It's people who are the problem.  @Chame1eon said:
    7. Is there anything that you think users should know?
    Trust no one.  Hate everyone.



  • @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?

    if norton tells me that site is unsafe, then it is most likely that site is unsafe and no good.

    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    Not using of latest anti-virus internet security anti-malware stuff before browsing on internet.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    Trick question? Don't place sensitive data on internet.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    rely on your brains unless you think they could be tricked. in that case, rely on diary. Keepass is also good option. Norton Internet security is also having place to store username and password.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    State is lamentable.

    @Chame1eon said:

    7. Is there anything that you think users should know?
     

    do not use same password on different sites. that will land you in trouble. sometime your wife will come to know of your bank account password and use it on your email. then she will know all that google knows about you. be afraid and very very afraid.

     



  • @dhromed said:

    Not using https for any login page.

    There's really no point using https for login if you aren't going to use it for the entire site. If someone gets your cookies, they can still do pretty much whatever they like.



  • @El_Heffe said:

    Trust no one.

    The Truth is Out There.



  • @locallunatic said:

    I'd recommend avoiding the use of a handle when using a quote in a speech.  You want a proper name of the individual as well as a quick descriptor of why they would be credible ("web developer so-and-so suggests..." or something like that).

     

     I can see why you would say that, but there are a lot of things that make a lot of assignments less than realistic.  I just don't want to ask for names unless I have to. This doesn't seem to justify it.

    @locallunatic said:


    Edit: also you are going to get trolling answers here, but you may also get things you can use if you are lucky.

     

     I was kind of expecting that. I just can't think of anything good to present to users that I don't have time to find myself. So I was trying to keep the pressure as low as possible. People obviously don't like boring questions that you'd hear over and over if It wern't for Google.  I'm just stuck with this. : (  I'm not sure if the person who created the assignment was thinking of them throught. 

    I also had to give a 2-3 minute speech that started with "My name is" and included my credentials where the audience was my "new coworkers" and the object was to "convince them to like me".

    I thought this was going to be about presenting estimates to management or something.

    Besides I thought at least it might be interesting or funny : P

     

     



  • @El_Heffe said:

    @Chame1eon said:
    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?
    This question makes no sense.  You're not a Nigerian Prince, are you?
     

     

    Gha I rephrased the question halfway though for some reason.  

    It seems to make more sense than saying close every window you have open clear your cache open one window for banking then clear your cache again. There was even an Onion article about this.



  • @dhromed said:

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    I have been online since the days of 28K8, so I kind of grew into it properly. That goes for most people here. What I see with regular users though, is that it's as if they're naive rural villagers coming to The Big City for the first time.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    My precious city that I helped build is being overrun with masses of idiot villagers and the shopkeepers are catering almost exclusively to them. :(

    (just kidding. I have a twitter!)

     

    I had the impression  that the internet was better before I got to it, and now It doesn't really resemble what it did then and I think that people who use social networking are crazy. I don't care if that means I'm the only one who seems to not be.

    I'm waiting for someone to invent some new medium of communication so I can move to that now : (.

     



  • I will try to answer seriously. If you need a real name, PM me and I will give you my first name.

    @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?

    It really depends on what the website is used for. For example, this site, who cares? Now if we're talking a site where I'm expected to enter financial or sensitive data, then:

    1. Not using SSL on every single page and for every single resource (images, CSS, JS). Chrome gives a warning if a page is encrypted but the resources aren't, which is good.
    2. A questionable domain. I would trust "bankofamerica.com" but not "bankofamerica.4j328965j23o4ijrw2jtoi24jo.floopityfloopityfloo.ru".
    3. I wouldn't bother with a company that's not well-established and seemingly trustworthy. For example, I'll use PayPal but I wouldn't use "RemunerateAcquaintance".


    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    Downloading software from untrustworthy sources (i.e. The Pirate Bay). Not running anti-virus. Giving their passwords out to scammers.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    Trustworthy name. Uses SSL for everything. Those are the two big ones I can think of.

    @Chame1eon said:

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    I really don't understand this one. You mean using a separate browser session for every site you open? It would be kind of inconvenient to set something like that up, and it seems too technically-sophisticated for the audience. But otherwise the question doesn't really make sense.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    Easiest? Just don't use one (or use the same, extremely simple one for each site). That's also the least secure thing you can do. I would recommend using some software like 1Password that generates new, random passwords for each site. Don't use the same one twice. Generate a random password to use as your master password for 1Password and memorize it. Also, write it down on a sticky and keep it in a locked safe or somewhere equally physically secure, in case you forget. Then you only have a single master password to remember.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    Significantly better than it was even a few years ago. Now virtually every big site I use that houses confidential data has SSL enabled. Even Google, Facebook and Twitter use SSL for everything now. Still, there's a long way to go to improve Internet security.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    Best security advice I can give users: SSL is your friend. Learn what SSL looks like in your browser. Learn what SSL warnings, errors or outright missing SSL looks like. Avoid entering personal information into sites that have SSL warnings, errors or don't use it at all. Be careful! Some browsers will display a "favicon" (a logo used to identify the site in your favorites) right next to the URL, right next to where SSL information is displayed. Illegitimate sites can use an icon of a lock to trick users into thinking SSL is enabled when it is not. Thankfully, more browsers are moving away from displaying favicons next to the URL.

    Check the URL. something.bankofamerica.com is okay. bankofamerica.something.com is suspicious. bankofamerica.something.ru is bad.

    Use different passwords for different sites, especially ones where you enter confidential information. Use good passwords, like those generated and stored by a program like 1Password. Do not use the name of your pets, your wife's birthday, etc..



  • @morbiuswilters said:

    @Chame1eon said:
    5. what do you think is the easiest way to manage passwords?

    Easiest? Just don't use one (or use the same, extremely simple one for each site). That's also the least secure thing you can do. I would recommend using some software like 1Password that generates new, random passwords for each site. Don't use the same one twice. Generate a random password to use as your master password for 1Password and memorize it. Also, write it down on a sticky and keep it in a locked safe or somewhere equally physically secure, in case you forget. Then you only have a single master password to remember.

    1. Open Google Chrome
    2. Type the letter c into the address bar
    3. Type the letter h into the address bar
    4. Type the letter r into the address bar
    5. Type the letter o into the address bar
    6. Type the letter m into the address bar
    7. Type the letter e into the address bar
    8. Type the symbol : into the address bar
    9. Type the symbol / into the address bar
    10. Type the symbol / into the address bar
    11. Type the letter f into the address bar
    12. Type the letter l into the address bar
    13. Type the letter a into the address bar
    14. Type the letter g into the address bar
    15. Type the letter s into the address bar
    16. Push enter
    17. Enable this thing
    18. Close and reopen Chrome
    19. NEVER EVER MAKE UP OR REUSE A PASSWORD AGAIN


  • @morbiuswilters said:

    Learn what SSL looks like in your browser. Learn what SSL warnings, errors or outright missing SSL looks like. Avoid entering personal information into sites that have SSL warnings, errors or don't use it at all. Be careful! Some browsers will display a "favicon" (a logo used to identify the site in your favorites) right next to the URL, right next to where SSL information is displayed. Illegitimate sites can use an icon of a lock to trick users into thinking SSL is enabled when it is not. Thankfully, more browsers are moving away from displaying favicons next to the URL.

    By the way, this would be a good place for some visuals, if you're permitted. Show what SSL on and off looks like in the latest version of a few browsers. Get the users to understand which parts are chrome* (the parts the trusted browser controls) and which parts are controlled by the site itself, whose validity you are trying to assess.


    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome. Why not just name that shit "Mahlwear"?

    Me: "Okay, right here the browser is showing you a warning indicating this site might have malware.."

    User: "The site has my browser?"

    Me: "No, 'malware' the harmful software like viruses. The site might have them, so Mahlwear is giving you a malware warning... This would be a good time to show you how to install the latest version of Mahlwear.."

    User: "You want me to install a virus?"

    Me: "No, that time I meant 'Mahlwear', the registered trademark owned by Google to name their browser. Can't you hear me enunciating the 'h' on 'Mahl'? And "wear" is spelled completely differently. Try to keep up."

    User: "I'm getting confused.."

    Me: "Okay, let's shelve security for awhile and go back to the Harley Davidson Visual Application IDE / Motorcycle Design tool. Now, to build the UI for our application we click 'Add Chrome'. No, goddammit, that was the 'Add Chrome' button for motorcycle design! You can tell because we're on OS X and it looks like a slightly-different type of shiny metal. You just electroplated your fucking UI, you moron! Why can't stupid users follow simple instructions when someone tells you to click the 'Add Chrome' button so they can add chrome?? Instead they click 'Add Chrome' and chrome their chrome! Arrgggh!!!"



  • @morbiuswilters said:

    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome.

    Yeah, but what about all those times you want to talk about the Internet? Or a fox made entirely of fire? Or browsing the web on a vacation to Africa?



  • @Ben L. said:

  • Open Google Chrome

  • Type the letter c into the address bar
  • Type the letter h into the address bar
  • Type the letter r into the address bar
  • Type the letter o into the address bar
  • Type the letter m into the address bar
  • Type the letter e into the address bar
  • Type the symbol : into the address bar
  • Type the symbol / into the address bar
  • Type the symbol / into the address bar
  • Type the letter f into the address bar
  • Type the letter l into the address bar
  • Type the letter a into the address bar
  • Type the letter g into the address bar
  • Type the letter s into the address bar
  • Push enter
  • Enable this thing
  • Close and reopen Chrome
  • NEVER EVER MAKE UP OR REUSE A PASSWORD AGAIN
  • Sooo.. it knows every password-creation page in existence? And it has all of their arbitrary restrictions on password characters and length recorded and kept up-to-date? And it keeps them encrypted and secured with a master password? And the passwords are easily backed up? Oh, and of course they're easily accessible in other browsers? And of course it interfaces with non-web passwords, too, right? Because you're selling it as a complete replacement for an actual password manager, so surely it must do all of that.



  • @Ben L. said:

    @morbiuswilters said:
    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome.

    Yeah, but what about all those times you want to talk about the Internet? Or a fox made entirely of fire? Or browsing the web on a vacation to Africa?

    I can't even guess what the fuck you're trying to say..



  • @Chame1eon said:

    Would anyone mind answering these questions either here or in email?

    Happy to. DM me with your email address & I'll get in touch.



  • @morbiuswilters said:

    @Ben L. said:
    @morbiuswilters said:
    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome.

    Yeah, but what about all those times you want to talk about the Internet? Or a fox made entirely of fire? Or browsing the web on a vacation to Africa?

    I can't even guess what the fuck you're trying to say..

    this fucking namemakes it hard to talk about
    Chromemotorcycles
    InternetTHE FUCKING ENTIRE INTERNET
    Mozilla Internet Browser Platform Blancmangeanything resembling an animal on fire
    Safariwhat morbs does when he feels like shooting a giraffe
    OperaOprah
    MahlwaerGoogle Chrome


  •  I'm really glad you replied to this. Thank you. 

    The instructor said that I don't need a name so I won't mention anything you don't want me to.

    For the browser I meant use any browser like Firefox for sensitive websites like banks and tax returns and and entirely different browser like Chrome for regular use. 

    It just seems like the simplest possible way to reduce cross site scripting or cross site request forgeries.  The idea was that it would be much more convienient than closing everything entirely and  it's easy to distinguish the "safe" browser form the "unsafe" one.  You could even apply a much stricter security configuration to the "safe" browser. (eg. noscript sandbox incognito mode etc. ) than most people would be willing to put up with on regular web sites. 

    I can't think of any reason that wouldn't be a good idea.



  • 1. What would you consider a security warning sign when you are using a website?

    • Not using HTTPS for pages that should be secure.
    • Pages that use expired certificates.
    • Weird password limitations that indicate underlying weaknesses in the storage and verification implementation. (e.g. max 8 characters, not allowing characters such as double-quote, etc.)
    • Sites that e-mail me my full membership information, including the full password.
    • Sites that allow me to recover my password instead of resetting it to a new password
    • High-profile, fraud-sensitive services (e.g. banking, government, online store accounts such as PSN or Steam) that do not employ a form of two-factor authentication
    • Websites which offer to store credit card details

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    • Not having an up-to-date browser.
    • Not having an up-to-date operating system.
    • Opening up additional attack vectors by installing third party browser plugins that are known to regularly have security issues, e.g. Flash and Java.
    • Not using an ad blocking tool and opening yourself up to drive-by assaults from badly curated ad networks.
    • Not using a whitelist-based script blocking tool.
    • Browsing with an account that has administrative permissions.

    3. What would make you think that a web site is likely a safe place for your sensitive data?
    Mind-altering substances or intoxicating levels of alchohol. Failing that; a hard enough impact with a blunt object to incur brain damage.
    The web is never a safe place for storing sensitive data of any kind, even with well-established tech companies like Google or Apple. (Case in point: the recent leak revealing the existence of the PRISM program.) Before storing or sending personal data anywhere you should always carefully consider whether it's worth it. In some cases though (e.g. government, educational institutions, employer, etc. ), it may be unavoidable and you should focus on supplying only the minimum.

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?
    User convenience. Other than that; it's actually a pretty good idea.

    5. what do you think is the easiest way to manage passwords?
    Post-it notes. However, as has been said: easiest != best. Best is probably memorizing a two-phrase master password to grab others off of a key chain software, explicitly without an option for password recovery or password recovery hints. For emergencies have two physical notes, one for each phrase, stored in separate safes.

    6. Do you think about the general state of security and the internet?
    It's a bloody freaking mess from the technical as well as the non-technical side.Technical exploits like XSS, CRSF or SQL injection refuse to die out, generally due to continued developer incompetence or unhealthy budget slashes coming down from management. With all the wet-behind-the-ears, gullible non-technical types cruising around on the web it's not going to get better any time soon either. Social engineering (such as phishing) is a 'rising star' that large government awareness campaigns continue to be unable to curb.

    7. Is there anything that you think users should know?
    Always treat the internet as hostile. Always second guess intentions. If it sounds to good to be true; it is.



  • @Chame1eon said:

    I can't think of any reason that wouldn't be a good idea.

    Yeah, it seems like a fine idea, as long as you keep both browsers up-to-date.



  • @Ragnax said:

  • Sites that e-mail me my full membership information, including the full password.
  • Sites that allow me to recover my password instead of resetting it to a new password
  • Good ones!

    @Ragnax said:

    High-profile, fraud-sensitive services (e.g. banking, government, online store accounts such as PSN or Steam) that do not employ a form of two-factor authentication

    Very few sites in the US use multi-factor. I honestly think it's more convenient and just as secure to use good passwords.

    @Ragnax said:

    Websites which offer to store credit card details

    That would be, like, every e-commerce site ever. I certainly have no problem with Amazon or Paypal having my CC details.

    @Ragnax said:

  • Not using an ad blocking tool and opening yourself up to drive-by assaults from badly curated ad networks.
  • Not using a whitelist-based script blocking tool.
  • Sigh. Whatever vectors these represent are so incredibly small compared to the negatives incurred. You're screwing over content creators and making your life a hassle. You might as well just not use a computer.

    @Ragnax said:

    The web is never a safe place for storing sensitive data of any kind, even with well-established tech companies like Google or Apple.

    We apparently have radically different views of what the word "safe" means. I take it to mean "secure, with a low likelihood of being exposed". You take it to mean "absolutely cannot be exposed ever", which is crazy. In fact, your money is safer on some big company's servers than it is in your own pocket. I mean, do you refuse to leave the house because you're not safe from having a meteor falling on your head?

    @Ragnax said:

    Technical exploits like XSS, CRSF or SQL injection refuse to die out, generally due to continued developer incompetence or unhealthy budget slashes coming down from management.

    There will always be technical exploits. This is why it's safer to trust Amazon rather than a small Mom 'n Pop online store.

    @Ragnax said:

    If it sounds to good to be true; it is.

    That's always good advice to keep yourself safe from all sorts of harm.



  • @morbiuswilters said:

    @Ragnax said:

  • Not using an ad blocking tool and opening yourself up to drive-by assaults from badly curated ad networks.
  • Not using a whitelist-based script blocking tool.
  • Sigh. Whatever vectors these represent are so incredibly small compared to the negatives incurred. You're screwing over content creators and making your life a hassle. You might as well just not use a computer.

     

    I've actually been trying to figure out how to prevent cross domain problems involving malware or tracking without interfering with ads.  

    You don't have a chance to either opt out or stop going to a website before the tracking starts so if you don't like it how do you avoid it? 

    You can't charge for something without asking first. so why can you record personal information without asking,

    I saw the AOL leak and I don't think it is possible to anonymize information like that without a lot of effort.

    It doesn't seem fair to non-technical users who can't see what is happening.

    With stuff like the BlackHole it seems like blocking unnecessary scripts makes sense.

     

     



  • @Chame1eon said:

    @morbiuswilters said:

    @Ragnax said:

  • Not using an ad blocking tool and opening yourself up to drive-by assaults from badly curated ad networks.
  • Not using a whitelist-based script blocking tool.
  • Sigh. Whatever vectors these represent are so incredibly small compared to the negatives incurred. You're screwing over content creators and making your life a hassle. You might as well just not use a computer.

     

    I've actually been trying to figure out how to prevent cross domain problems involving malware or tracking without interfering with ads.  

    You don't have a chance to either opt out or stop going to a website before the tracking starts so if you don't like it how do you avoid it? 

    You can't charge for something without asking first. so why can you record personal information without asking,

    I saw the AOL leak and I don't think it is possible to anonymize information like that without a lot of effort.

    It doesn't seem fair to non-technical users who can't see what is happening.

    With stuff like the BlackHole it seems like blocking unnecessary scripts makes sense.


    Lemme get this straight:

    Online advertising is incredibly annoying when no information about the person viewing the site gets used.

    You think the way to make online ads more specific to your interests is to block them completely, meaning you're stealing from content creators who use advertisements as a source of income.

    And you seem to think this is a "privacy" or a "malware" problem. Seriously, if online advertising companies know nothing about you, the ads will suck. That's why my Google Advertising Preferences looks like this:

    The more information Google knows about my interests, the happier I'll be on websites that show ads. Simple as that.



  • @Ben L. said:

    The more information Google knows about my interests, the happier I'll be on websites that show ads. Simple as that.

    I don't think the services are worth that much and not everyone does.

    I can't think of any way to make the choice clear and easy to implement.

    I'd actually rather just store my credit card information in my pasword keeper on my own computer rather than having it stored on several servers unless there is a really good reason for them to keep it (autopay) too.

     



  • @Chame1eon said:

    @Ben L. said:

    The more information Google knows about my interests, the happier I'll be on websites that show ads. Simple as that.

    I don't think the services are worth that much and not everyone does.

    I can't think of any way to make the choice clear and easy to implement.


    I'm sure someone will think of something...



  •  A lot of web sites ignore that.



  •  This is almost completely off topic by now but this is the most complete article I can find about this: http://www.snet.tu-berlin.de/fileadmin/fg220/courses/SS11/snet-project/web-tracking_schmuecker.pdf



  • Hi, I apologize for not addressing your questions directly but if you have some spare time look up for Dmitry Bestuzhev, he has really nice and easy to understand talks and essays on security.


    Excuse me if I may, I'd like to add another topic. My bank has a very irritating (and mandatory) on screen keyboard that every time you click on a number it is entered as plain text on the pin field and a second later replaced with a bullet. I distrust almost every site with a similar feature.


  • Discourse touched me in a no-no place

    @Chame1eon said:

    I had the impression  that the internet was better before I got to it, and now It doesn't really resemble what it did then
    Correct. The date you're after is September 1993.



  •  Inculcate is such a great word. It should have been the name of that movie, so that the awkwardness of the title and the film would be the same.



  • @morbiuswilters said:

    @Ragnax said:
    Websites which offer to store credit card details

    That would be, like, every e-commerce site ever. I certainly have no problem with Amazon or Paypal having my CC details.

    Ah sorry; let me rephrase that and apply a different tone to get the message across:
    Websites which 'suggest' I store my credit card details with them and then 'helpfully' pre-select the related options in the UI.

    @morbiuswilters said:

    @Ragnax said:
  • Not using an ad blocking tool and opening yourself up to drive-by assaults from badly curated ad networks.
  • Not using a whitelist-based script blocking tool.

  • Sigh. Whatever vectors these represent are so incredibly small compared to the negatives incurred. You're screwing over content creators and making your life a hassle. You might as well just not use a computer.

    Will 10M+ potential victims over the span of one month do?

    @morbiuswilters said:

    @Ragnax said:
    The web is never a safe place for storing sensitive data of any kind, even with well-established tech companies like Google or Apple.

    We apparently have radically different views of what the word "safe" means. I take it to mean "secure, with a low likelihood of being exposed". You take it to mean "absolutely cannot be exposed ever", which is crazy. In fact, your money is safer on some big company's servers than it is in your own pocket. I mean, do you refuse to leave the house because you're not safe from having a meteor falling on your head?

    Prism says hi. I'd rather not have shady government outfits collect my data and then potentially share it with shady outfits of other governments in data exchanges for 'mutual benefits'.

    Do you know why so many people of jewish faith were quickly and efficiently deported from the Netherlands during the occupation by nazi Germany? Here's a hint; the German officials that were installed after take-over commended the Dutch for their meticulously detailed civil registry. No-one wants to think about these kind of scenarios, and granted; nowadays it almost seems silly and a contrived example. However, the potential for great fall-out still exists in the long run and gathering data on sensitive subject matters (e.g. religious or political views) is a lot easier now than it was in the days of old paper archives.


  • Trolleybus Mechanic

    @Ragnax said:

    Do you know why so many people of jewish faith were quickly and efficiently deported from the Netherlands during the occupation by nazi Germany?

    Damn stright. They should have run AdBlock and put a custom element hiding rule on "YellowStar.jpg"



  • @Ragnax said:

    Will 10M+ potential victims over the span of one month do?

    Yeah, "potential victims", i.e. people who visited the hacked sites. How many were infected? First off, how many up-to-date browsers have JS vulnerabilities which can install malware? Second, how many of those would be caught by up-to-date virus software? I'm betting the answers are "zero" and "zero, since nothing got through".

    @Ragnax said:

    Prism says hi.

    I doubt the NSA is interested in using your credit card to buy iPads. Hell, I doubt the even have access to your credit card. But nice non-seq.

    @Ragnax said:

    No-one wants to think about these kind of scenarios, and granted; nowadays it almost seems silly and a contrived example.

    I don't think so. I fully expect there to be at least one act of genocide nearly equal in scale to the Holocaust in my lifetime.

    @Ragnax said:

    However, the potential for great fall-out still exists in the long run and gathering data on sensitive subject matters (e.g. religious or political views) is a lot easier now than it was in the days of old paper archives.

    I don't really follow the line of reasoning that keeping your entire life a secret from the Internet is going to save you from being shoved into the crematoria. Heck, you wouldn't be able to do much of anything online, if that's your level of paranoia. I'd rather participate in the world and just keep in the back of my mind that things can turn nasty really quickly.



  • @morbiuswilters said:

    @Ragnax said:
    Will 10M+ potential victims over the span of one month do?

    Yeah, "potential victims", i.e. people who visited the hacked sites. How many were infected? First off, how many up-to-date browsers have JS vulnerabilities which can install malware? Second, how many of those would be caught by up-to-date virus software? I'm betting the answers are "zero" and "zero, since nothing got through".

    All it takes is a previously unknown 0-day exploit being used to turn that 0% into close to 100%.

    @morbiuswilters said:

    @Ragnax said:
    Prism says hi.

    I doubt the NSA is interested in using your credit card to buy iPads. Hell, I doubt the even have access to your credit card. But nice non-seq.

    @Ragnax said:

    No-one wants to think about these kind of scenarios, and granted; nowadays it almost seems silly and a contrived example.

    I don't think so. I fully expect there to be at least one act of genocide nearly equal in scale to the Holocaust in my lifetime.

    @Ragnax said:

    However, the potential for great fall-out still exists in the long run and gathering data on sensitive subject matters (e.g. religious or political views) is a lot easier now than it was in the days of old paper archives.

    I don't really follow the line of reasoning that keeping your entire life a secret from the Internet is going to save you from being shoved into the crematoria. Heck, you wouldn't be able to do much of anything online, if that's your level of paranoia. I'd rather participate in the world and just keep in the back of my mind that things can turn nasty really quickly.

    The problem with data being collected isn't so much that data is being collected. You have to accept this to some degree. (Which I also made note of before, I think; 'weighing pros and cons' etc. ) The problem is when society becomes complacent and stops to think critically about it. If the practice becomes common enough to turn into something [i]commonplace[/i], then you've essentially handed government and business a golden ticket to do whatever the hell they want on a data collection front. It's not paranoia but more ideology: keep people aware of the fact that no website is ever "a safe place for your sensitive data" and that there are always risks attached. The WW2 example is that set of risks taken to its logical extremes. On a smaller and much more realistic scale you have to consider other unpleasantries such as identity or credit card fraud following a database breach with a company you thought was trustworthy, recent and striking example being the PSN data breach.



  • @morbiuswilters said:

    @morbiuswilters said:
    Learn what SSL looks like in your browser. Learn what SSL warnings, errors or outright missing SSL looks like. Avoid entering personal information into sites that have SSL warnings, errors or don't use it at all. Be careful! Some browsers will display a "favicon" (a logo used to identify the site in your favorites) right next to the URL, right next to where SSL information is displayed. Illegitimate sites can use an icon of a lock to trick users into thinking SSL is enabled when it is not. Thankfully, more browsers are moving away from displaying favicons next to the URL.

    By the way, this would be a good place for some visuals, if you're permitted. Show what SSL on and off looks like in the latest version of a few browsers. Get the users to understand which parts are chrome* (the parts the trusted browser controls) and which parts are controlled by the site itself, whose validity you are trying to assess.

     

     

    I wouln't have thought the visuals were so important, but after working on the school's helpdesk it seems better to make sure people have a good idea of what things are supposed to look like.  I actually personally tend to ignore visual information in lieu of textual information.



  •  I was actually thinking more of early web rather than the internet since you just didn't see a lot of usenet archives but there were a lot of frozen web sites for a while. It took me a while to realize where the AOL'ers reputation actually came from and that the current  windows 98 wave wasn't the first one to smash the previous culture nearly out of existence. 

    It's sad.

    Most of what is easy to find with google just looks like what you could already just find anywhere.  Google trends usually seems to just be a reflection of whatever was on tv recently. 

    Sites with good forums seem to be nearly non existant and so are sites with interesting things like ROM hacking. (no one knows of anything interesting do they?)

    That is why I like these forums. 

    I was trying to think of some way that the internet could be segmented so that unique independent cultures and communities could still exist.



  • @Ragnax said:

    All it takes is a previously unknown 0-day exploit being used to turn that 0% into close to 100%.

    But there are 0-day exploits in all kinds of software, not just Javascript engines. Do you browse using telnet or something? I mean, part of using software is accepting that sometimes there will be exploits. You've drawn this very arbitrary line at "Javascript", it seems. At least is makes sense to block Flash and Java, since they are so buggy, but Javascript engines? In 2013?

    @Ragnax said:

    It's not paranoia but more ideology: keep people aware of the fact that no website is ever "a safe place for your sensitive data" and that there are always risks attached. The WW2 example is that set of risks taken to its logical extremes. On a smaller and much more realistic scale you have to consider other unpleasantries such as identity or credit card fraud following a database breach with a company you thought was trustworthy, recent and striking example being the PSN data breach.

    I can agree with the "keep people aware there are always risks attached" part. Of course, that's true of anything. I mean, you're probably more likely to have your credit card number stolen by some shifty waiter than you are to have it hacked from one of Amazon's servers.



  • @Chame1eon said:

    I was trying to think of some way that the internet could be segmented so that unique independent cultures and communities could still exist.

    I dunno, I'd say the Internet is one of the most unique, vibrant collections of subcultures to ever exist. Heck, right here we've assembled a handful of people from all over the world who have two very specific, unique interests: software engineering stupidity and purple dildos. I don't think you could sustain a club like that in the real world, not even in some place like NYC.



  • @morbiuswilters said:

    @Chame1eon said:
    I was trying to think of some way that the internet could be segmented so that unique independent cultures and communities could still exist.

    I dunno, I'd say the Internet is one of the most unique, vibrant collections of subcultures to ever exist. Heck, right here we've assembled a handful of people from all over the world who have two very specific, unique interests: software engineering stupidity and purple dildos. I don't think you could sustain a club like that in the real world, not even in some place like NYC.

     

     

    That's true but the only reason I found this is becuase someone put one of the Error'd articles on StumbleUpon with all the pic dumps. Google's popularity based page ranking combined with what's either aggressive seo or just a larger commercial presence seems to combine so that at this point the stuff I am interested in is hard to find without random luck like I mentioned above.  A lot of forums seem to drop below the threshold of activity that motivates people to actively seek updates and it's harder an harder to find any new ones.  

     I was kind of hoping Google's personalization of searches would work better, but it never did.  

    I think that with the volume of people online now popularity based searching and ranking just makes things that were obvious anyway even easier to find, but other things nearly impossible. It seems you could do something better with this medium.

    Maybe I'm spoiled ?



  • @Chame1eon said:

    I actually personally tend to ignore visual information in lieu of textual information.
     

    You're saying that without text, you also ignore pictures.



  • Well that's funny for someone who is purtortedly text oriented, but at least someone told me.

     


Log in to reply