Every day, if you're listening hard enough, you'll hear about security holes in the software you use - on your computer, on your phone, in your car. We've gotten used to it, so we don't pay much attention. That's because we assume that something has been done about, or is being done about it. But is that right?
The other day a friend of mine received a message on Facebook. The message said that an interest group he had joined on the social networking site had been hijacked. The message explained that there was a security hole.
If all the administrators of a Facebook group had quit, then anyone - whether they were a member of a group or not - could step in and take over.
They could then do whatever they liked: change the name of the group, send messages to all group members, pretty much run riot. Which is what had happened here.
Actually, this guy had taken over nearly 300 groups, changed their names to Control Your Info, and sent all their members a warning message. The warning made clear that he could have done something far worse, but he didn't. All they wanted to do, they said, was highlight how easy it was.
Facebook was less than impressed. They told me that no confidential information had been at risk and said this kind of hijacking thing was rare. Which may be true, but that probably was small comfort to the members of nearly 300 groups.
Now this all may seem bit obscure. And it is. But there's a bigger issue involved.
The person or persons involved in this attack claimed they were doing a public service to raise awareness of how vulnerable our information is on social networks. They also say that if they'd just written a blog post about it, nobody would have listened.
What they didn't make clear is whether they'd tried to tell Facebook about it first. There's an etiquette among computer nerds that if a security hole like this is found they let the person responsible for the product or service fix it before they go public.
The problem is that often these nerds find their noble efforts are not recognized by the company involved. At best they get a grunt of acknowledgement; at worst they're ignored.
An example: one of my friends recently pointed out that a premier vendor of data protection services and software had left a gaping big hole in its online store.
He was right. Set up an account and make as if you're going to buy stuff, change a character in the resulting web address, and you can see all the details of other recent customers: their name, address, type of credit card, even, in some cases, a partial credit card number.
Enough to call the customer up, impersonate someone from the company, and ask for the missing data.
Not very reassuring. But even less reassuring was the company's response: it took them nearly a month to fix the hole. Only then did my friend publicly reveal the flaw.
Obviously something is broken here. I don't condone the actions of the Facebook hackers. Their actions have not so much raised awareness about the need to be careful with information so much as freaked people out about something they could do very little to fix.
The problem here is not us users, it's them. The companies selling us stuff. There are bound to be holes. They not only need to fix them, but fix them quickly. And provide an incentive for folk who find them to report them without making a big noise about it.
The other day a friend of mine received a message on Facebook. The message said that an interest group he had joined on the social networking site had been hijacked. The message explained that there was a security hole.
If all the administrators of a Facebook group had quit, then anyone - whether they were a member of a group or not - could step in and take over.
They could then do whatever they liked: change the name of the group, send messages to all group members, pretty much run riot. Which is what had happened here.
Actually, this guy had taken over nearly 300 groups, changed their names to Control Your Info, and sent all their members a warning message. The warning made clear that he could have done something far worse, but he didn't. All they wanted to do, they said, was highlight how easy it was.
Facebook was less than impressed. They told me that no confidential information had been at risk and said this kind of hijacking thing was rare. Which may be true, but that probably was small comfort to the members of nearly 300 groups.
Now this all may seem bit obscure. And it is. But there's a bigger issue involved.
The person or persons involved in this attack claimed they were doing a public service to raise awareness of how vulnerable our information is on social networks. They also say that if they'd just written a blog post about it, nobody would have listened.
What they didn't make clear is whether they'd tried to tell Facebook about it first. There's an etiquette among computer nerds that if a security hole like this is found they let the person responsible for the product or service fix it before they go public.
The problem is that often these nerds find their noble efforts are not recognized by the company involved. At best they get a grunt of acknowledgement; at worst they're ignored.
An example: one of my friends recently pointed out that a premier vendor of data protection services and software had left a gaping big hole in its online store.
He was right. Set up an account and make as if you're going to buy stuff, change a character in the resulting web address, and you can see all the details of other recent customers: their name, address, type of credit card, even, in some cases, a partial credit card number.
Enough to call the customer up, impersonate someone from the company, and ask for the missing data.
Not very reassuring. But even less reassuring was the company's response: it took them nearly a month to fix the hole. Only then did my friend publicly reveal the flaw.
Obviously something is broken here. I don't condone the actions of the Facebook hackers. Their actions have not so much raised awareness about the need to be careful with information so much as freaked people out about something they could do very little to fix.
The problem here is not us users, it's them. The companies selling us stuff. There are bound to be holes. They not only need to fix them, but fix them quickly. And provide an incentive for folk who find them to report them without making a big noise about it.
Postingan
0 komentar:
Posting Komentar