Binarycse Blog

Happy New Year-2009

Time has no divisions to mark its passage, there is never a thunder-storm or blare of trumpets to announce the beginning of a new month or year. Even when a new century begins it is only we mortals who ring bells and fire off pistols.

Do you have a member of the “Clickerati” at your house? They are otherwise known as today’s tech-savvy generation of children who are light years ahead of their parents when it comes to new media. They were using computers almost before they could talk, and can find virtually anything — from music to movies to games — on the Internet.

But they’re still kids. And just as adults watch out for their children when it comes to what they eat, or the books and toys they play with, parents should also be aware of what their kids are doing online. Twenty-first century parents need to “catch up”; they should take the time to find out what is available on the Web and guide their children accordingly.

An excellent resource designed for kids and intended to help families explore the Internet together is MaMaMedia.com. One of the only independent sites available for young people, this kids-oriented guide to the Net offers a variety of engaging activities to help users gain technological fluency and expand their minds through playful learning. Children can design and animate characters, make their own digital cards, invent games and share ideas — all within a colorful, entertaining format.

Aimed at kids 12 and under, the site includes a number of innovative, interactive educational opportunities. A “Romp” channel allows kids to explore the Web safely by providing a visual directory organized into seven categories, each with hundreds of sites carefully selected by the MaMaMedia editorial team. Users can also visit “Zap” where they can make digital creatures and screens, or “Surprise” where they can create stories and cartoons. The site also has companion areas that provide information and guidance for parents and educators.

“MaMaMedia prides itself on creating innovative, meaningful ways to marry the power of the computer with the potential of the child,” says Idit Harel, Ph.D., the founder and CEO of MaMaMedia. “The educational value of a Web site comes from stimulating the imagination, not just manipulating information,” she explains.

According to Harel, there is a fundamental set of new-media-literacy skills that all children should be expanding. “Activities on the site are meant to help kids develop the three X’s: eXploration, eXpression, and eXchange of ideas and creations with digital media and technology tools,” says Harel. She considers these skills to be as important as the three R’s to the development of a successful citizen in the 21st century.

“Good internet learning tools are just like a paintbrush or building blocks,” says Harel. “Web experiences for kids should be about learning by doing within a multidimensional creative process, rather than being confined by linear stories or questions and answers.”

The site also provides a way for kids to respond to world events. Within 48 hours of the Sept. 11 tragedy, the MaMaMedia Peace Project was launched. The “HQ for Peace” channel features peace-themed activities such as puzzles, “Mail Bytes” where kids can respond to questions, resources for learning more about the world, and options for sending digital peace greetings to friends and family. Millions of children have used the channel since its inception.

“The peace site provides a safe and expressive space for children to think about and share their feelings, display their digital creations, and exchange ideas about peace, fear and hope,” says Harel.

Harel established MaMaMedia in 1995 after years of study at the MIT media lab. The quality content, based on new learning skills, attracts more than 20,000 children a day, almost 5 million member/users in total since it was launched. The site has won a number of awards, including the Computerworld Smithsonian Award and the Global Information Infrastructure Award.

Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.

Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. Logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.

It is not new that security researchers have always been the target of computer and internet based attacks. But the recent rash of attacks, which coincided with this year’s Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.

“You can immediately see how emotional this is,” said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. “People are generally worried. You’re always worried you made some stupid mistake.”

Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago.

Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account. “It’s going to make me be a bit more vigilant,” he said. “I don’t think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure.”

What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.

Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw. Some posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.

Others guess that the miscreants gained entry through the victims’ blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.

Every minute that your computer is connected to the Internet, either through a dial-up (modem) connection or through a broadband (DSL or cable) service, it is at risk. Network security attacks can come at any hour of the day or night.

Ignoring computer Internet security threats can cost you thousands. Your computer is just one machine among the millions connected to the Internet at any given moment. And a moment is all it takes for a hacker to get in. All your private documents and photos, credit card numbers and passwords are available to anyone with bad intentions and basic computer skills.

Hackers can get in, take what they want, and even leave open a “back door” so they can turn your computer into a “zombie” and use it to launch network security attacks, often against high-profile computer systems such as government or financial systems. Having control of your computer gives them the ability to hide their true location as they launch their attacks.

Virus protection is not enough. Don’t think that antivirus software completely protects your computer from Internet security risks. Virus protection is as good as the latest virus definitions, which are created in response to the latest viruses – many thousands of people must be infected before the makers of antivirus software can create a defense. And antivirus software does nothing to protect your computer against direct network security attacks.

If you use dial-up Internet connection, it is more difficult (not impossible, just difficult) for a hacker to get in, since your computer only connects to the Internet when it has something to send, such as email or a request to load a Web page. Once there is no more data to be sent, or after a certain amount of idle time, the computer disconnects the call. Also, your computer is usually assigned a different IP address on each call.

Broadband services are more of a target for network attacks, since your computer is always on the network, ready to send or receive data and its IP address changes less frequently (if at all).

How to protect your computer against network security attacks and other accidents

1) Use a firewall

This is a software program that monitors all incoming and outgoing network traffic and allows only the connections that are known and trusted. It’s a mandatory tool for your computer Internet security.

The best balance between maximum protection and ease of use is ZoneAlarm Pro from Zone Labs, which is not just a classic firewall that stops all network security attacks, but also…

• Makes your computer invisible to anyone on the Internet.
• Automatically removes the most dangerous and useless spyware and viruses.
• Blocks banner ads and pop-up/pop-under ads.
• Automatically updates spyware and virus signatures.

Zone Labs has just released the new ZoneAlarm Security Suite - an easy to use computer Internet security package combining their firewall with antivirus, email security, content filtering, and communication protection.

2) Use antivirus software and keep it up-to-date

I recommend Kaspersky Anti-Virus. It detects more viruses than popular Norton AntiVirus and can protect you from even unknown viruses. It was the only antivirus program in the world that repelled attacks of all “ILOVEYOU” virus variations without any additional antivirus database updates. The program checks and cures both incoming and outgoing mail in real-time, is simple to install and use. You only need to choose from three levels of protection.

To find out if you have any viruses or spyware on your computer without having to uninstall your current antivirus or install a new one, you can scan your computer online for viruses and spyware with their free Online Scanner. Just click the link Free Virus Scan on their home page.

The popular ZoneAlarm Internet Security Suite uses Kasperky anti-virus engine. Take a look also at Kaspersky Internet Security. It’s a package combining antivirus protection with a personal firewall and an antispam filter, specially developed to protect personal computers against the whole range of network security attacks – viruses, hackers, spyware and spam.

3) Regularly check for spyware and adware

Spyware and Adware are files that can be installed on your computer without your permission. These programs allow hackers to track your behavior on the Internet and retrieve your personal information such as pin, credit card, phone and social security numbers, passwords, usernames, etc. ZoneAlarm Anti-Spyware combines a spyware scanner with a firewall and email security.

4) Don’t open unknown email attachments

Don’t open any email attachments unless they are authored by a person or company that you trust. Also remember that email viruses can often originate from familiar addresses. If you need to open a suspicious attachment, first save it to your hard disk and scan the file using your antivirus software.

5) Disable hidden filename extensions

Windows operating systems contain an option to “Hide file extensions for known file types” (enabled by default). Some email viruses take advantage of a hidden file extension. They use an attachment which may appear to be harmless (.txt, .mpg, .avi) when in fact it’s a script or executable (.vbs, .exe). For example, “LOVE-LETTER-FOR-YOU.TXT.vbs”.

6) Keep your operating system and other applications patched

Most of the network security attacks would be stopped if all users kept their computers up-to-date with patches and security fixes. When holes are discovered (this happens frequently), computer vendors usually release patches for their software. Some applications automatically check for available updates, for others, you need to check periodically vendors’ websites.

7) Disable Java and ActiveX if possible

Java and ActiveX are used to write code that is executed by Web browsers. Although this code generally adds useful features, it can be used by hackers, for example, to monitor your Internet activity. You can disable Java and ActiveX in your browser at the cost of limited interaction with some websites.

Turn off your computer or disconnect from the network when not in use

If you use broadband (DSL or cable) Internet connection, turn off your computer or otherwise completely disconnect it from the network when you are not using it. This not only “protects” your computer from Internet security risks, it forces your ISP to change your computer’s IP address more frequently, thus making it more difficult for a hacker to get in.

9) Make regular backups of important data

A hard disk crash or physical theft of your computer results in the loss of all data stored on hard disk. Keep a copy of important files on removable media such as floppy/ZIP disks or recordable CD-ROM disks and store these disks somewhere away from the computer.

Once the iPhone connects online through Wi-Fi or the mobile network, it has all of the same vulnerabilities as any networked device; unencrypted data could be intercepted by casual hackers or proactive identity thieves. At press time, the iPhone hadn’t received any large-scale attacks or viruses, but you should still protect your data as a precaution.

Many iPhone features and Internet services offer ways to encrypt your data, but you have to turn them on (or make sure they’re already on) to stay safe. We’ll explain how to protect email, passwords, and other sensitive details no matter where you connect.

Use Email Securely

Internet email began as a trusted service, with both sides of a conversation expecting the recipient to be who he or she claimed to be. Encryption came as an add-on, and while common now, certain mail hosts offer different ways of enabling the feature.

When your iPhone (or any other device) checks your email, it can encrypt your login information as well as messages sent and received to prevent any snoopers from reading your email or intercepting your password. Use encryption, which the iPhone calls SSL (secure sockets layer), as long as your email provider supports it. The iPhone switches this on by default.

Some providers call SSL by its current, formal name, TLS, which stands for “transport layer security.” Check with your email provider to be sure it uses this protection, whatever name it goes by.

Of the preset account types recognized by the iPhone—Microsoft Exchange, apple’s MobileMe, Gmail, Yahoo Mail, and AOL— almost all offer SSL support to varying degrees. Exchange servers require complete SSL; MobileMe supports SSL for receiving and requires it for sending; Gmail requires it for both; and AOL requires it for sending but makes it optional for receiving. SSL doesn’t yet work with Yahoo Mail on the iPhone. The only reason not to use SSL would be because your email provider doesn’t support it; otherwise, verify that it’s on. From the home screen, tap Settings > Mail Contacts, Calendars, then tap the name of the account you want to check. To make sure you are receiving email securely, scroll down and tap Advanced. Under Incoming Settings, make sure that Use SSL is switched on.

To make sure you’re sending email securely, tap the account name to return to the previous screen, then scroll down to the Outgoing Mail Server, and tap on the server name (in case there are more than one). Make sure that Use SSL is switched on.

You can’t miss that SSL slider. Leave it on unless your mail provider doesn’t support it.

Yahoo Mail uses a proprietary login method called XYMPKI. In July 2007, security researcher Dave Cridland discovered that part of that method involved sending login name and password without encrypting them, which could enable a hacker to access your email by “sniffing” (recording) the login sequence, then replaying it later. Until SSL is enabled on the iPhone, avoid checking 
Yahoo Mail on an open (that is, unencrypted) network until Apple and Yahoo announce an update.

Use Webmail to Retrieve Messages Securely 

Look for the lock on the icon to verify security.

Occasionally, you might find that a Wi-Fi access point firewall won’t allow you to contact your mail server. Try using your email provider’s webmail interface in Safari, but keep the transmission secure with SSL. Two indicators that SSL is working in Safari are that the website’s URL begins with “https://” instead of “http://” and a lock icon appears to the right of the URL.

Not every webmail provider offers secure webmail. Of the main iPhone options—MobileMe, Gmail, Yahoo, and AOL—only Gmail offers a secure web connection athttps://mail.google.com/mail/. (However, if you use Exchange or a different ISP, contact your administrator to see whether a secure webmail solution exists for you.)

Some websites, such as www.mail2web.com allow you to check another provider’s email with an SSL-encrypted connection. This can be secure as long as the website offering the service is also secure itself. Mail2web connects to all of the services we tried besides Yahoo, which doesn’t allow you to check your email with other programs unless you pay for to its Yahoo Mail Plus service ($19.99 a year, mailplus.mail.yahoo.com).

Encrypt Email 

If you’re close enough to friends that you have a secret language, they can retrieve an encrypted mail by answering a question only they know.

Security experts like to say that sending email is like using a postcard. Anyone can read it in transit. However, using encryption on an email message is like putting a letter into an envelope. It’s not totally unbreakable (otherwise, how would your recipient read it?), but very strong encryption provides good enough security for people who prefer their communications to be private. With well-encrypted email, even if someone intercepts a message, it could take years to decrypt the contents,  if they’re successful at all. OpenPGP is the de facto standard for encrypted email, although most people call it PGP (Pretty Good Privacy for short).

Right now there’s no way to encrypt your email using PGP on the iPhone through the Mail program. Instead, consider using Hushmail, which supports PGP encryption. It’s a webmail service, so you can access it from Safari.

With PGP, a public key is used only to encrypt mail; it has no function for unlocking messages. Only the recipient’s private key can open the data. That way, anyone can protect a message sent to you, but only you can read it. Ordinarily, to send email to a PGP user, you tell your mail program about this person’s public key. Hushmail works a little differently, by keeping the encryption transparent to users.

Hushmail users can send encrypted messages to other Hushmail users or to people who have uploaded their public keys to Hushmail. A slightly less secure option hides encrypted messages on the Hushmail server and emails the recipient with instructions on how to retrieve the message by answering a security question correctly. After five incorrect guesses, access is denied.

There are some catches to using Hushmail on the iPhone’s version of Safari. Before starting, be sure to close all other open Safari pages. When composing a message, once you tap the Send button, you’re not done; tap the pages icon in the lower-right and switch to the main Hushmail page. If you don’t, the message won’t send.

Hushmail is free, but it also offers subscription services, enabling 250MB of storage, access to customer support, and assurance that your account won’t be deleted due to inactivity. Hushmail is also working on a mobile Web client, but nothing yet for the App Store.

When you connect to Wi-Fi, if no password is required to join the network, anyone can sniff your packets. This means that an eavesdropper within physical range of your network can listen in on anything that’s sent or received. If your iPhone is set to check email automatically, you might reveal sensitive data by joining such an open network, especially if you don’t use SSL. (If you do use SSL, intercepted communications will be garbled by that encryption.)

Under Settings > Wi-Fi, there’s an option called Ask to Join Networks. However, this option only does what it says the first time you connect; whether you have this option on or off, the iPhone will never ask before rejoining a network with the same name.
So, if you visit a network with a common name, like “linksys,” your iPhone will automatically join every network it discovers with that name. In a single cab ride, you could unintentionally expose your iPhone to dozens of networks with the same name.

If you use Wi-Fi at home, make sure your network has a unique name, so when you’re away from home, you don’t have to worry about someone else having the same name for their Wi-Fi network.

You can also tell the iPhone to stop automatically joining a nearby network by tapping Settings > Wi-Fi > The network’s name, then tapping Forget this Network.

If you plan to join an open network and aren’t using SSL in email, turn off automatic email checks by tapping Settings > Fetch New Data > Manually. Then join the network, and don’t check your email. Restrict your activity to things that don’t reveal sensitive data, like reading websites or playing Hold’Em.
Enable Show SMS Preview to see the beginning of an incoming text message before you’ve entered your passcode.

If you lose your iPhone, or if a thief manages to slip it out of your pocket, all of your email and data are in someone else’s hands. Stop them from peeking by locking your phone with a passcode.

It’s really easy to set up. Tap Settings > General > Passcode Lock, and set a 4-digit passcode by entering it twice. Just be sure to pick a different PIN than the one you use for your bank card.

Tap Require Passcode to change the duration of idle time before the iPhone asks for the passcode again, saving yourself from annoyance. As Apple suggests, a shorter time period is more secure. Chances are, you’ll be the one entering the code most frequently, so try to strike a balance between convenience and the need for security.

Keep in mind, however, that if someone wants to return your lost phone or contact your family in an emergency, they’ll be stuck at that input screen. To fix this, on your computer, use an image editor to create a picture containing your contact info. Email the graphic to your phone, and set it as wallpaper. Those details will appear behind the passcode prompt.

Use A VPN 

If VPN setup gets too complicated, talk to your job’s IT administrator or VPN provider for help.

Suppose you’ve found Wi-Fi access that you don’t trust, but you really need to check your email. As with a computer, you can encrypt your traffic by using a Virtual Private Network. The VPN sends all incoming and outgoing data to a server on another network, all while using encryption. Most people use this to pretend that they are on a network that they’re otherwise not connected to, such as reaching an internal office file server while away. But it has the added benefit of encrypting the connection, making it useful for people that use lots of open Wi-Fi networks.

The iPhone supports three VPN protocols (each of which are good): Cisco IPSec, L2TP over IPSec, and PPTP. If you are already running one of these at home—great! But, if like most people, you’re not, you may want to consider renting a VPN. Some iPhone-friendly VPN providers are listed in VPN Providers Love the iPhone.

Securely Erase the iPhone 

On the reset screen, only tap Erase All Content and Settings if you really mean it.

One of the features Apple touted about the iPhone 2.0 firmware update was the ability to remotely wipe all of the data from a missing or otherwise compromised iPhone, at least for corporate users. As we went to press, the only way to remotely wipe the iPhone was from a Microsoft Exchange server, and then only by an administrator on that server. For residential customers in the united States, there’s no way to remotely erase an iPhone by asking AT&T to do it.

If you decide to sell or give away your iPhone, it’s smart to erase it manually first. Tap General > Reset > Erase All Content and Settings. Connect your iPhone to a power supply first, because the process will eat up a lot of battery power as it overwrites the data. Apple says it takes about an hour per 8GB of space on the iPhone, so plan accordingly.

VPN Providers Love the iPhone 

The iPhone’s built-in VPN client supports common VPN standards. Here are some VPN providers that cater specifically to iPhone users. Renting a VPN is not the same as getting Internet access. Rather, it provides a secure connection from your iPhone (or any other networked computer) to a VPN server somewhere else on the Internet, confounding any snoopers on an unsecured Wi-Fi network.

Marisel Garcia first suspected something was amiss with her laptop when she noticed that the tiny activity light above the built-in camera flickered whenever she was in front of it. The Hialeah, Fla., resident also thought the PC’s battery was draining faster than normal. When she brought her laptop to a friend who worked in technology, he found that someone had installed software that allowed the computer to be controlled remotely. What’s worse, that person had been taking photos through her webcam. 

Investigators say the spyware was created and installed by Craig Matthew Feigin, a 23-year-old student at the University of Florida who had previously offered to fix a problem with Garcia’s computer. Police arrested Feigin, who now faces a federal charge for computer tampering, to which he has pleaded not guilty. In his statement to police, Feigin described how he had configured the software to take snapshots of anyone who moved in front of the webcam. He eventually amassed more than 20,000 images of Garcia, her boyfriend and other friends, and sent snapshots of their most private moments over the Internet to contacts in Eastern Europe. Considered tech-savvy around campus, Feigin was often approached by students who needed help with their computers, and Garcia was in town visiting friends when she asked for his help to make her PC run faster. He admitted to investigators that he had installed the same software on PCs belonging to more than half a dozen other women. 

According to court records, Garcia used her laptop the way many people do today—as a communications link that’s always online and carried from room to room for e-mailing, instant messaging and shopping. This type of open digital pipeline connecting private space and the public Internet is swiftly becoming the norm in America. According to the Pew Internet and American Life Project, more than half of the adult population in America now use broadband Internet. Plus, almost 30 percent of Americans have 3G-capable phones. These are the twin pillars of our digitally connected modern society: High-speed DSL and cable broadband connections have transformed the way people use the Internet at home, while 3G cellular networks have allowed us to take that digital connection on the road. 

As these powerful networks have evolved, so have the devices we use to access them. Personal computers, once self-contained processing machines, have become permanently connected devices. Most software also requires an Internet link to work properly; in fact, the latest trend in “cloud computing” moves software off the computer altogether. The evolution in cellphones has been even more dramatic. These were once analog devices designed exclusively for making phone calls; now they are data-centric mini-computers with integrated satellite-tracking capability. With each new gadget we buy and use, we make a choice to further integrate our lives into the public Internet. That decision has enormous implications for our conventional understanding of privacy and personal space. 

Our digital tools provide an open window to our lives, and a long list of curious characters—hacker peeping Toms, corporate marketers, jealous jilted lovers, snooping government agencies—are eager to look inside. And the digital portrait they see is more detailed than ever. According to market research firm IDC, the average person has an online digital presence of 45 GB—about half of which is created by outside sources. This digital shadow of our lives is colored in with e-mails, photo posts, password hints, Facebook friend requests and location-based queries flowing fluidly in and out of the electronic devices we bring with us everywhere. 

Mobile Positioning System

Cellular phones are the most ubiquitous location-aware devices on the planet: Their very operation depends on knowing where the user is. Any phone can determine its own location (and thus the location of the user) by triangulating from multiple cell towers, then send that information back to the wireless service provider. This capability makes it possible to route calls efficiently to subscribers, and it can often save lives. In 1996, the Federal Communications Commission mandated that cellular providers phase in location-aware Enhanced 911 (E911) capabilities on most cellphones by 2012 to determine the position of a caller in an emergency to within 300 ft. Just last June, two hikers who wandered off course in Alaska’s Denali National Park were found a few days later when rescue workers tracked them through their cellphones. 

Many newer phones are shipping with embedded GPS antennas, giving them location and mapping capabilities that rival embedded navigation systems in cars. But since phones are two-way communications systems, they are open to a variety of uses beyond E911 and simple navigation. 

Many companies are taking advantage of these capabilities to help manage time cards, monitor gas mileage and ensure that workers aren’t slacking off. Gearworks, based in Eagan, Minn., provides location-tracking services to the transportation, infrastructure and healthcare industries. Phones outfitted by Gearworks operate like digital foremen for employees in the field. They can navigate an employee to a job site, record the amount of time it took to get there and perform the job, then allow him to remotely punch out when the job is done. 

According to company co-founder and chief technology officer Rob Juncker, devices using Gearworks location-tracking technology explicitly inform users that they are being tracked, and employees have the option of temporarily disabling the tracking feature for “privacy breaks.” 

Many emerging businesses are using the native tracking ability of modern cellphones to sell location-based information as a lifestyle service to consumers. Startup companies such as Loopt and Whrrl offer everything from real-time directions to information on local restaurants, movie showings and friends in the area. The trend toward location tracking is expected to become the future model for mobile advertising and marketing, serving up ads and special deals not only targeted at you personally, but relevant to where you are geographically. 

Yet legal standards of privacy for use of your location data are inconsistent at best. “The law says that information can’t be disclosed without prior opt-in from the consumer, but that law only applies to telecommunications carriers,” says Jim Dempsey, vice president for public policy at the Center for Democracy & Technology. “But many entities handling location information, or with access to it, are not telecom carriers.” A survey of the privacy policies of many location-based service providers shows how fluid the traffic in personal location data has become. Because many of these services are opt-in, once the user has agreed to the terms, his phone can be tracked even when the application is turned off. And the data collected, along with other personal information, can and will be shared with advertising and marketing partners—that is, in fact, the business strategy of these services. 

A personalized marketing campaign offering discounts at the burger shop around the corner may seem relatively innocuous, but as more cellphone users embrace location-aware phones, their devices automatically create a worldwide web of evidence that can easily show up in court. 

Albert Gidari, a partner with the Seattle offices of Perkins Coie, represents a number of wireless carriers. He has seen at least two civil suits so far in which companies have sought location data from providers. One of these cases, brought by a large insurance company, sought location data on a subscriber who was suspected of stealing and setting fire to his own car in order to recover the insurance payout. 

Both cases were ultimately abandoned by the plaintiffs because of costs. But Gidari suspects the reason more cases don’t involve requests for location data is that litigants simply aren’t aware it’s available. “What I think is on the horizon is that in every insurance case involving a distracted driver, someone’s going to ask, ‘Was the driver on the phone?’ and ‘Was the driver texting at the time of the crash?’” 

The tracking technology in cellphones is exploited not just by businesses and the courts. An established market exists for consumer spyware programs that can be installed on cellphones. Dozens of Web sites advertise GPS tracking devices and stealth software, encouraging users to “catch a cheating spouse” or “keep a watchful eye on your children.” A few hundred dollars can outfit suspicious or obsessed amateur detectives with an arsenal of spy gear. Some of these services let users log into a Web page and get daily reports of their subjects’ movements and even chart their activity using Google Earth, the search giant’s free satellite imagery software. 

Too often, these tools end up in the hands of stalkers and obsessed former lovers. According to Cindy Southworth, director of the Safety Net Project—a nonprofit that trains law-enforcement officers to understand the role of technology in domestic abuse—computer spyware and GPS tracking services are showing up in a huge number of stalking and domestic violence cases. “We get at least one call a week on a new case where spyware is being misused in stalking and ex-lover cases,” Southworth says. 

In 2006, Washington state resident Sherri Peak suspected that her estranged husband Robert was tracking her movements. An investigator confirmed her fears: Robert Peak had hidden a cellphone and a GPS tracking device in the dashboard of her car. Peak rigged the phone so he could dial in silently and listen in on his wife, while tracking her movements on his laptop computer. Peak pleaded guilty to felony stalking and was sentenced to eight months in prison.

Over the years there have been a number of technologies promised that would allow computer users and web developers the opportunity to run the same interactive code across multiple platforms, with native execution and related speed benefits. Early attempts at providing this capability were largely limited to single operating system families, such as Microsoft’s ActiveX, which, while it achieves this capability, is only for Windows systems.

Until now, the only real technology that has come close to providing a semi-native code experience on a truly cross platform level has been Java, through the sandboxed byte-code that can be delivered through the web and then interpreted using the local interpreter. For many years the sort of Java web applications that were being developed and distributed amounted to little more than intellectual curiosities, but that was at a time that predated even the first Web 2.0 application (Outlook Web Access) by three years (1995 for Java, versus 1998 for OWA).

More recently, Flash and Shockwave have developed the capability to run detailed applications without suffering too much performance hit, though there is very limited interaction with the local system (due to their evolutionary history as web plugins).

Each of the different solution types have had serious vulnerabilities affect them over the years, with the most concerning being vulnerabilities that allows code to escape the ‘sandbox’ that the downloaded content is meant to run in (where it is somewhat isolated from the underlying system – hopefully to prevent information leakage and system compromise, but this didn’t always work).

A new technology will soon join the mix, with Google inviting analysis and testing of their Native Client technology. Google’s stated intent with Native Client is to provide the capability to web developers to be able to develop more feature rich cross-platform web applications that can utilise more resources on the client side than just the HTML/XHTML interpreter and JavaScript, and have more capability reach than Flash / ActiveX / Java.

As with earlier technologies, Native Code will run inside a sandbox, designed to limit interaction with the underlying system to only the approved API calls. Probably of more interest to application security researchers is the claim by Google that static analysis techniques will be in use when running downloaded code, in an effort to preventatively neutralise malicious / vulnerable code. Effectively the interpreter will decompile incoming Native Code content and then assess the resulting x86 (no mention of other architecture support) commands as to whether they can reach underlying system resources that they shouldn’t.

While this relies on content having been developed in accordance with Google guidelines, it will be an interesting technology to keep track of and see how it copes when anybody can throw code at it.

With the project to be released under the BSD licence, it shouldn’t be too long before multiple architectures are supported and there are plugins supporting it running on most available software platforms.