Tuesday, February 24, 2009

Facebook reverses term of service.

I think all of you facebook people need to know little more about facebook's term of services.
Directly from EPIC new:



On February 18, 2009, hours before EPIC planned to file a complaint
with federal regulators regarding changes to Facebook's Terms of
Service, the social network service restored the original policy.
Facebook also committed to a more transparent, participatory process
regarding future changes to its Terms of Service, a process that
"reflect[s] the principles and values of the people using the service."
"Facebook users will have a lot of input in crafting these terms," the
company promised.

The modified Terms of Service were announced on February 4, were widely
criticized, and were to be the subject of the EPIC Federal Trade
Commission complaint. EPIC observed that the modified Terms of Service
included several material changes, which adversely impacted Facebook
customers, eviscerated wide-recognized privacy rights, and unilaterally
and retroactively transferred control of user generated content to
Facebook. These modifications were made without any meaningful notice
to Facebook users. EPIC noted that the unilateral transfer of rights to
Facebook was an unfair and deceptive business practice. Facebook users
observed that, under the revised policies, Facebook asserted broad,
permanent, and retroactive rights to users' personal information - even
after they deleted their accounts. The EPIC complaint was supported by
more than a dozen consumer and privacy organizations.

Facebook's original Terms of Service stated "[w]hen you post User
Content to the Site, you authorize and direct us to make such copies
thereof as we deem necessary in order to facilitate the posting and
storage of the User Content on the Site." The original Terms of Service
also promised "[y]ou may remove your User Content from the Site at any
time. If you choose to remove your User Content, the license granted
[to Facebook] will automatically expire..." These clauses allow
Facebook to make use of user-generated information in a manner that is
consistent with typical privacy laws, which permit the business use of
customer data for purposes that are necessary or incident to the
provision to the service.

Facebook's modified Terms of Service removed language regarding
deletion of users' content from Facebook and the expiration of
Facebook's right to use such content. The modified terms also omitted
the provision limiting Facebook's use of user data to activities
incident to providing the service. The modified terms permitted
Facebook to utilize users' personal information for any purpose –
including explicitly the commercialization and monetization of Facebook
users' names and likenesses – for Facebook's benefit. Facebook's
modified Terms of Service asserted greater rights to user data than
policies established by similar services, including MySpace, Yahoo, and
Twitter.

In response to user concerns, Facebook has established a new Group
Facebook Bill of Rights and Responsibilities and is seeking comments
from users. The page includes these statements from the company:

1. You own your information. Facebook does not. This includes your
photos and all other content.
2. Facebook doesn't claim rights to any of your photos or other
content. We need a license in order to help you share information
with your friends, but we don't claim to own your information.
3. We won't use the information you share on Facebook for anything
you haven't asked us to. We realize our current terms are too broad
here and they make it seem like we might share information in ways
you don't want, but this isn't what we're doing.
4. We will not share your information with anyone if you deactivate
your account. If you've already sent a friend a message, they'll
still have that message. However, when you deactivate your account,
all of your photos and other content are removed.
5. We apologize for the confusion around these issues. We never
intended to claim ownership over people's content even though that's
what it seems like to many people. This was a mistake and we apologize
for the confusion.

The Complexity of Zero Knowledge

Hi Folks,
Today looking at UC Davis' speech archive I found this great talk: " The Complexity of Zero Knowledge " by Salil Vadham, Harvard University. I really suggest this video ... ...





Tuesday, February 17, 2009

Bro Intrusion Detection System.

Hi folks, today I wanna introduce BRO a great IDS, maybe not such famous as SNORT but very useful too . 
Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).

Bro uses a specialized policy language that allows a site to tailor Bro's operation, both as site policies evolve and as new attacks are discovered. If Bro detects something of interest, it can be instructed to either generate a log entry, alert the operator in real-time, execute an operating system command (e.g., to terminate a connection or block a malicious host on-the-fly). In addition, Bro's detailed log files can be particularly useful for forensics.

Bro targets high-speed (Gbps), high-volume intrusion detection. By judiciously leveraging packet-filtering techniques, Bro is able to achieve the necessary performance while running on commercially available PC hardware, and thus can serve as a cost-effective means of monitoring a site's Internet connection.


Sponsored by National Science Foundation it's one of the most used IDS in the public companies. Let's start to install in a new intel MAC.  
Like a lot of sources the first step is running the ./configure 's script which says that everything looks great.


I really wanna use libgeoip and libmagic so I decide to install them through port by typing sudo port install libgeoip libmagic .  I try again with ./configure and at this time I'm able to use libmagic and libgeoip to .  After that, as usual, make and make install and the Bro IDS should be installed (actually you probably need some other packets also available in port). If you wanna speed up the process you probably want to try the make install-brolite command.  This process could be quite long, of course it depends on you machine's speed but usually takes some minutes to be compiled and installed (especially on laptop). Running bro directly from installed path /usr/local/bro/ it will run great ! What you need is a good configuration which might be found in this little guide. What you see is a really easy to install and light IDS. Now, what is the best solution, actually I have no idea, BUT I'll be happy to read something from you guys about the main differences between Bro and snort DS. Which IDS you suggest ?..Why ? Both are pretty easy to install, at first sight maybe snort is too much difficult to setup and if you wanna a great configuration it takes more human time, but I wont write more about which is the best; in terms of installation, human time, speed, false positives percentage and false negatives percentage. I appreciate some of your experiences.


Thursday, February 12, 2009

Still no privacy for people screwed by Facebook's hackers

Probably many of you, guys, remember the huge Facebook's privacy bug published last March. If you don't remember, the hack was pretty simple; using the user ID the attacker could see the private pictures forging a simple URL like the following one.

Find the user ID using a google search is immediate and pretty intuitive. This hack was live for some days during March and after that was patched by FaceBook. So, where is the problem ?



I know, It could seem a normal bug-and-patch process like many others in the net but, to me, it's different. Steal informations, private data and passwords might be less "intrusive" from the privacy point of view. Informations private data and passwords may change, for example if someone got your password, you may change it. Again, if someone stole your home address or your phone number you can change it, but if someone stole your digital pictures you loose the control of them. You cannot control the time life of each picture and you cannot break the circulation flow. This is the proof, months are passed over and these pictures are still on the web. Some of them might be saved into user HDs and none will know when and where the pictures appear again.

Thursday, February 5, 2009

AS3: Easy Web Camera SnapShot

Today I investigated a little of Action Script 3. What I really wanna do is an easy script to take a web camera snap shot. Coming from AS2 I was impressed about the EventListener present in AS3, like complete programming language (I'm thinking to Java or .NET) AS3 got the object listener which reacts to an Event. 

Taking a snapshot from web camera means convert the Bitmap Data stream captured by your web camera  into JPG (or PNG) image and save it into a file. To do that you need a special library named as3corelib available on google projects ( here ).
The corelib project is an ActionScript 3 Library that contains a number of classes and utilities for working with ActionScript 3. These include classes for MD5 and SHA 1 hashing, Image encoders, and JSON serialization as well as general String, Number and Date APIs.
Download the library and copy the folder "/src/com" under your project's path or add the "/src/com" to the general adobe framework under "/Configuration/ActionScript 3.0/". Now you're ready to write your easy AS3 to grabbing the Web Camera Stream. I've built 3 buttons: SNAP (AS3 name: button1) which takes the image and interrupts the web camera stream to the otput video (AS3 name: video), RED (AS3 name: redButton) which drops the image and attaches the web camera stream to the output video and the GREEN (AS3 name: greenButton) which converts the image captured from "SNAP" to JPG and saves it through a php page. On practice:

import com.adobe.images.PNGEncoder;


//initialize ambient
redButton.visible = false;
greenButton.visible = false;
button1.visible = true;


var cam:Camera = Camera.getCamera();
cam.setQuality(0, 100);
//800x600, frame per second,
cam.setMode(800, 600, 24, true);
video.attachCamera(cam);

var ba:ByteArray = null;


button1.addEventListener(MouseEvent.CLICK,snap);
redButton.addEventListener(MouseEvent.CLICK,retake);
greenButton.addEventListener(MouseEvent.CLICK,ok);



function snap(e:MouseEvent):void{

var bmd:BitmapData = new BitmapData(video.width,video.height,false);
bmd.draw(video,new Matrix());
ba = PNGEncoder.encode(bmd);
video.attachCamera(null);


redButton.visible = true;
greenButton.visible = true;
button1.visible = false;
}

function ok(e:MouseEvent):void{

var header:URLRequestHeader = new URLRequestHeader("Content-type", "application/octet-stream");
var jpgURLRequest:URLRequest = new URLRequest("jpg_encoder_download.php?name=sketch.jpg");
jpgURLRequest.requestHeaders.push(header);
jpgURLRequest.method = URLRequestMethod.POST;
jpgURLRequest.data = ba;
navigateToURL(jpgURLRequest, "_blank");

video.attachCamera(cam);
redButton.visible = false;
greenButton.visible = false;
button1.visible = true;

}

function retake(e:MouseEvent):void{

video.attachCamera(cam);
redButton.visible = false;
greenButton.visible = false;
button1.visible = true;


}

stop();


Thank to these few AS3 lines we're able to capture snapshot from web camera stream. The result looks pretty nice. Obviously you may change the graphic just using Flash's power.