Full Disclosure.
Today i’m going to drop a bit of science on you. This is something that i’m very passionate about but have very mixed feelings about. Full disclosure in the security sense is when there is a flaw in a security method that’s published widely. The argument is that if everybody knows about the issue, then there’s ample pressure on the powers that be (whomever that may actually be) to fix the issue ASAP. I’ll give two examples of how this has happened in the last 5 years with very mixed results. The other method of dealing with an insecurity is the term “security by obscurity”, (i’ll shorten it to SbO) more on that in a bit.
Ok. A few years ago there was a series of news reports that explained a “new” phenomenon called “Bump Keys” in that a person with a specially crafted key could open or close almost any typical lock (think front doors, padlocks and other similar kinds) in a matter of seconds, leaving no trace or evidence on the lock when done correctly. This exploitation has been around for 15+ years and very few people were the wiser and so everybody felt better because no consumers really knew about it and while all of the security professionals (think locksmiths) knew a small subset of criminals knew about this as well. Well it hit the news, now there were youtube videos of both instructional videos on how to make and operate these tools as well as, you guessed, a rash of break-ins using this method. A few years have gone by, people have mostly forgotten about it and a few companies came up with a few “bump proof” locks and even fewer have replaced their front door locks. In this case full disclosure to help out joe-schmo and life has gone on. Very little has changed all and all though. Locks are still being sold with no preventive measures and nobody really even wants to talk about it.
Now, very recently a tool has come out on the internet that with zero computer knowledge somebody with on the same (let’s say wifi network like Starbucks or the laundromat) network can hijack into an open session (think you already logged into your Facebook,Twitter or bank account) that’s not being transmitted under SSL (the secure socket layer, it’s that little lock next to the Https://www bit). Your bank has known about this kind of computer security for years and has been for many many years been something your bank really wants to help prevent (see also: how to do things correctly) with websites who are (and i don’t want to say lazy, but just don’t care) less concerned about things like privacy and security (looking at you Facebook) transmit your password under an encrypted layer but not the rest of what you’re doing on there after you log in. Mark Zuckerberg was at a coffee shop, his account was taken over by somebody who was using a method very similar (if not exactly) and earlier this week Aston Kutcher’s twitter account was also taken over. “Dude where’s my SSL” With these attacks being so public in nature it’s gotten a bit of attention in the last few months and as the number of the tool (that i’m not totally comfortable mentioning here) downloads continues to rise Facebook has implemented a few minor security enhancements over the last few months and probably will continue to do so. Full disclosure here by making the tool readily accessible and a few celeb attacks that really weren’t very vicious helped (hopefully) bring some positive attention to security that needed some love.
Remember kids, Knowledge is power and with great power comes great responsibility.
951
