Category Archives: Internet security

Stop Sharing That Meaningless Copyright Status on Facebook


Myself . 

By T. V. Antony Raj

.

If you have been on Facebook for the last three or four days, you would have probably seen an almost serious looking post or one of its many garbled variations shared as someone’s Facebook status.

Here is a screen grab of one of the versions:

Permission for FB

.
Various versions of this status have popped up on since 2012, which are just elaborate hoaxes that have plagued the social-network site for years, and you too might have seen them on your FB pages from time to time.

Do you think copying  and posting such a short note that seems to contain complicated and official legalese will protect the privacy and confidentiality of your Facebook account from that moment onwards and privatize the photos and videos you post?

In reality, posting such status on your Facebook page will not change any privacy rules.

If you think that posting such a status on your Facebook page is the right thing to do, then why are you still posting photos and other items on Facebook under your banner? Would it not be better to deactivate your account?

Remember that social media is not the place for “private and confidential” information. If you do not give permission to use your pictures, etc., how would Facebook show them to your friends?

When you agree to Facebook’s terms of use, you give Facebook a non-exclusive, transferable, royalty-free, worldwide license to use any content you post. You do not need to declare anything about copyright issues since the law already protects you. Hence, any privacy declaration on your part is worthless and does not mean anything.

On November 26, 2012, Max Read published an article titled “That Facebook Copyright Thing Is Meaningless and You Should Stop Sharing It” wherein he dissects this status post line by line and counters them with excellent explanations.

Facebook addressed the rumours years ago in a fact-checking blog post about the change related to ownership of users’ information or content they post to the site.

Copyright Meme Spreading on Facebook

Copyright Meme Spreading on Facebook

There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.

.

RELATED ARTICLES

The Heartbleed Bug Causes Vulnerability in the OpenSSL


.
Myself . By T.V. Antony Raj
.

 

 

Heartbleed

It has now been revealed that a very serious bug was independently discovered by a team of security engineers at Codenomicon and Google Security, and they reported it to the OpenSSL team.

Antti Karjalainen, Riku Hietamaki, and Matti Kamunen at Codenomicon found the bug while improving the SafeGuard feature in their Defensics security testing tools. They reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

Google Security’s Neel Mehta, who worked independently of Codenomicon team is also credited with being the first to discover the flaw and reported it to the OpenSSL team.

Now this bug has been nicknamed “Heartbleed” and CVE-2014-0160 is the official reference to this bug. Common Vulnerabilities and Exposures (CVE) is the Standard for Information Security Vulnerability Names maintained by MITRE.

OpenSSL, used by most Internet websites, is a set of open source software tools to handle secure communication. This secure technology is represented in URL addresses by the “s” in HTTPS, indicating our communications with that particular site are encrypted and a third person would not be able to read any information sent or received. SSL turns our communication into a coded strain that has to be unlocked by a digital key. Here is what it looks like for the Facebook login page:

https on Facebook page

According to Matthew Green, cryptographer and Assistant Research Professor at the Johns Hopkins University, the Heartbleed vulnerability is in the OpenSSL software which was not cleverly engineered to be this way, but the result of a “mundane coding error”.

The Heartbleed bug allows an attacker to read sensitive information from vulnerable servers and possibly steal items like passwords, cookies, and encryption keys.

The author of the article “The Heartbleed Bug” published in heartbleed.com says:

“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

To the question “How to stop the leak?”, he says:

“As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”

Barry Abrahamson
Barry Abrahamson

In the post “Heartbleed Security Update“, Barry Abrahamson, the Chief Systems Wrangler at Automattic, responsible for running the globally distributed infrastructure that powers WordPress.com, Akismet, VaultPress, IntenseDebate, and others revealed that the WordPress.com servers “were running the latest version of OpenSSL, which was vulnerable. We generally run the latest version of OpenSSL to enable performance enhancements, such as SPDY, for our users. The non-vulnerable versions of OpenSSL were over two years old.

Barry assures us that WordPress.com fixed the issue by patching all their servers within a few hours of the public disclosure and replaced all SSL certificates and private keys. He said:

“Out of an abundance of caution, we have replaced all of our SSL certificates, along with regenerating all of the associated private keys. In addition, our servers support forward secrecy so that even if our private keys were compromised, they could not have been used to decrypt old encrypted communication.”

About resetting password by users on WordPress.com, Barrys said that at this time, they will not be forcing their users to change their password. He added:

“If you want to, you are welcome to change your password. If you are using the same password other places on the Internet, we urge you to change your password and remind you to use unique passwords wherever possible.”

Now, with the assurance by Barry on behalf of WordPress.com, I feel secure.

.

Enhanced by Zemanta