Wednesday, August 01, 2007

Putting It All Together... Privacy, Security, Cybercrime and Safety

Summary of a talk by Parry Aftab at the IFIPTMA Conference in Moncton.

It is important that you know why I am so trustworthy. I am the most trustworthy person on the internet. A recent widow in Nigeria wrote to me and told me so. I get all these emails. So I must be trustworthy.

I started using the internet with AOL. They said, we will never ask you to send your password. I got an email, though, from AOL, asking for my password. So I sent them a note and complained. That was the beginning.

I'm a privacy and scurity lawyer. I used to advise big companies on the internet. I got a phishing email from 'PayPay'. I would have fallen for it if I had had the passwords. So I forwarded it to the security team saying 'login in and fix what is wrong'.

I got the first phishing email from Citibank, the first bank to be phished. What they did, they didn't hide it, they put a notice on the front page. The others often hide.

Now you need to recognize that this is coming from everywhere, and you guys can sit in your ivory tower and tell me there isn't anything we can do to stop it, and we should all just give up... what should we do?

If you talk to kids, ask then what they shouldn't share on the internet, they say, personal info, name, address, and that. So what do they do? They create a profile on the internet, on Facebook, on Bebo.

Even if you get kids to listen, you get kids blabbing stuff on the internet. 'My friend Jennifer... she's so careful, she has no profile on the internet... here's her picture... here she is in her father's convertible... with its special license plate... she lives across the street from me... Anyhow, Jennifer is so safe on the inernet."

People put things up in a well-meaning way, and people are still put up over the internet. Does this put her at risk on the internet? Maybe... not as much as you might think. People may think kids are kidnapped... but the kids always go willingly to a meeting with a stranger. But eventurally, the kids will grow up and want to go to Harvard or whatever.

So how do we deal with these things, with 'information bleed', as I call it? It comes from people, who are sharing to much informaion on the internet.

A lot of that information comes back and haunts you. It haunts you when you're getting a divorce - even if it's behind a password, divorce lawyers are subpoenaing it. Virtual adultery. Lawsuits - a lot of data information, collected from preferred customer cards - there was a lawsuit from someone who slipped on water and fell, so the supermarket chain that he sued checked his record and saw that he was buying beer every week, so they came back and said he was probably drunk at the time.

I often say, don't share what you don't want your parents, kids and police to see. We have to add college presidents and employers to that. A lot of people are losing their jobs because of what they post. One person put on his resume, 'one job, great boss' but on his Facebook he said 'four jobs' and was badmouthing bosses. But then he says the facebook is private. Hello.

(But - my comment - you're saying people should keep the info off Facebook - why? to protect their lie on the resume??)

What you say online is not private, it is not secure, it is what you put on the billboard on I-15.

I was doing a briefing for the Secret Service. Someone was doing something on phishing, he described something that happened to me and I didn't even know I had been phished. I was doing research on how to steal movies. I went to a site I saw on the internet, it asked me to sign up, I put in my credit info, got in behind the front screen, and it simply referred me to Kazaa. They sold my card to other people who charged money on my card. So - when you get these emails that say you can get software way below market - they know you're not going to report it to anybody.

I saw a celebrity, I said to him, a lot of people on the internet are pretending to be him, saying, "Hi, I'm Nick, I like your picture, go another, in a bikini." We are convinced we are the only ones who lie, but everyone else lies, everyone lies online. 'Catch the jumping frog and win!' I can tell you most adults will fall for that but I can't tell you a kid who will.

Getting the info out there - we're looking for this or that. We think we know who we're talking to. We think they're cute boys or whatever. But they're Revenue Canada. Or something.

Perspectives... what hat do you wear? Many of you are academics, researchers. Some of you are educators. All of us are consumers. Most of use are employees or employers. Some are lawmakers. All of us are members of families. You may wear several hats, and your perspective may change.

For example. Collecting data from employees' email. Someone asked, 'should we?' Your perspective may change on that. You have to remember, in the U.S., everything is done by law. The lawyers will sue you at the drop of a hate. Nobody pays the loser's legal fees. They're good at it. So maybe in your company people are passing around jokes, maybe racist jokes. Maybe they're passing trade secrets. Somebody's looking for somebody to sue - and in the U.S. you have to preserve all the emails now. So maybe the FTC is suing somebody for antitrust. Or maybe somebody signed a confidentiality agreement?

We had an issue in Mirimachi where someone sold a computer, which had a whole lot of data on it. I sat in on an operation with the FBI where we were war-driving, capturing a lot of information from their hard drive. You don't know who is looking - cleaner, kids, whatever.

Until we teach people to log off and not put their password on the post-it well, you may not want as an employee to have employers snooping, as an employer, you may have to - how do you deal with that.

We had someone from a health care company here in Moncton saying nobody is giving her advice, and the info she was getting was wrong.

It's like whack-a-mole. We have to stop simply reacting. We have to sit in a room and say, what's next? What would a hacker do? I'm on an anti-phishing group - we can't talk about phishing because we've been infiltrated by phishers. You've got to have forward-thinking expertise. You have to realize this is a serious issue.

Bill Gates asked, in 1995, "Is there anyway we can own Internet safety." He was told, no, we should share it. He decided not to do it. We need to create guidance and best practices - and to do that we need to speak a common language. We have to talk to each other, and we have to come down from the Ivory Tower.

I turned down good jobs to donate my time. So now I give what I know away for free on TV. Somebody nobody sees that as valuable any more. That has to change. We have to talk to each other. Tech translators, tech diplomats. I need the train to slow down enough to tell me what the issues are. How do I get that information to you? We have to make information accessible.

When we talk topeople about things they are doing and choices they are making, we have to tell people that, because technology can make it possible to do things - I saw a 1 terabyte hard drive at Costco, I could save everything, what if someone steals it - we should think twice.

I brought in Brad Stowe, from the NY Times, to talk to kids, 12 year-old kids in New Jersey. I asked the kids, what do you do that your parents would kill you for - I don't ask that in front of media any more. They told stories. Putting fat kids' photos on the internet. Sending death threats - one kid said, "I collected information on someone, all the details on her, and then sent an email saying she was going to kill her."

A lot of this comes out of Canada. A woman had an ICQ account, her profile was open, and she was receiving death threats. She came to us for help - we tracked it back, it was a kid from the Maritimes (in Canada).

You are not secure. You have to do something about it. Web designers and coders, they're not doing anything about it.

We have to create a roundtable. I need your help. We need insight and forward-thinking advice. We have to park our egos at the door. We need sharing. There's a lot you can share without losing your competitive advantage.

We need a directory of tech experts in New Brunswick, so we know who's here. When we talked about the project, Cybertrust, there's five different business models here. Taking what you've learned in health and applying it to financial. I'll help you see it.

Who are you? Are you willing to play in a group? What expertise do you have?

(Q and A - who are you? Me (of course), someone from Holland, someone from Japan)

That's the power of these conferences - the networking. What do you need from me?

Comment: people under-report incidents, you may have better statistics than we do.

Right. What we need are some websites advising people where to report when this happens (reminds me of the neighborhood watch program we recently set up at home). Age verification? That's an issue - I don't see a resolution, without a national database of kids, which scares the dickens out of me.

You have to share data. You need to network. You should introduce yourself to each other. It's time. Talk to each other, pass your card around.

Mentioned an organization called WiredSafety - there's nothing in Canada for the curriculum on cybersafety - but I've got it.

Discussion of men taking advantage of kids on the internet. It's moving to extortion on the internet.

1 comment:

  1. Thanks for the summary on my talk. I do not tell anyone (other than underage kids) to avoid using social networks. I think they are poerful ways ot share and gain information, network and have fun and encourage interactions. My comment about employers, police, parents and college presidents (adding coaches, and others to whom you want to put "your best foot forward") that others are looking.

    Too many people post something publicly online, thinking the only people who see it are those for whom it is intended (family members, your friends, your workmates, etc.). I want everyone ot be aware of the fact that when you post on Facebook, or any other social network or Web 2.0 network, unless you hide your details (using privacy settings, or limiting access), your information is now "out there."

    This is designed to teach responsible use of technology and responsible care for your reputation.

    thanks for blogging.

    Parry
    parryaftab.blogspot.com

    ReplyDelete

Your comments will be moderated. Sorry, but it's not a nice world out there.