Who Are You? And What Do You Want (to do with my stuff)?
Facebook has been hitting the headlines recently as users are enraged, frustrated and disappointed by the ways in which the company handle the users’ data. Well — according to Facebook’s Terms of Use the data doesn’t really belong to the user but Facebook Inc., the company behind the site. Go and have a quick read through them if you don’t believe me; you may be surprised at what you find…
Let’s start with the basics. Facebook’s Terms Of Service state that not only do they own your data (section 2.1), but if you don’t keep it up to date and accurate (section 4.6), they can terminate your account (section 14). You could argue that the terms are just protecting Facebook’s interests, and are not in practice enforced, but in the context of their other activities, this defense is pretty weak. As you’ll see, there’s no reason to give them the benefit of the doubt. Essentially, they see their customers as unpaid employees for crowd-sourcing ad-targeting data.
(Source: Gizmodo.)
Since the privacy settings were overhauled last year (and the year before, probably the one before that too), the Terms of Use have been altered slightly, step-by-step, with more and more control over the user and their data. The virtual-social hub of millions of teenagers, twenty-somethings and even the Silver Surfer has arguably turned from networking-do-gooder to personal-all-knower.
Sound harsh? Step back a little: your data on Facebook is your name, photos, friends, what school/college/university you attended, when you were there, what you send via message or post to your friends, what the say back… everything on the publicly-available website. I think this video says it best.
I’ve started using a free alternative, Fossunet. It is much the same comparison to Facebook as identi.ca (Status.net) is to Twitter in the micro-blogging world; the former being an open platform providing the same, if not more, functionality. Okay, Fossunet isn’t as developed as Facebook quite yet, but it shows a lot of promise. One could argue that only third-party application developers is what is needed to make identi.ca really steal Twitter’s thunder.
The real difference between corporate entities and the more open alternative is this: your data should be your own. We have this freedom in the real world; for example, when we introduce ourselves to a fellow dog owner in the park, we don’t expect to take our photograph and staple it to every lamp-post in town. That may sound silly but if you put information on Facebook for your friends’ benefit, Facebook can do exactly that. Not very respectful unless you happen to be running in an election.
By using free and open alternatives to the ‘because everyone else is’ mainstream, we can each ensure we are treated on our own terms. If you don’t like how they treat you, fork off. (Forking is the term used when a free product is duplicated by another person/company and run alongside, on their own.) We are even free to license our own content and data as we see fit, with the option of reproducing the whole site for ourselves if they don’t agree. The two sites here are licensed under slightly differing Creative Commons licences, like many on-line projects and creative media. This entitles you to have a look at how they work, fiddle with them on your own should you so wish, and even launch one of your own. I implore everyone to take a critical look at the services they use and consider: is there a better alternative? (Maybe not just in ethics and freedom, but perhaps features or even price!)
On Your Docs, Set, Sprint!
Internet giants Google run a Summer of Code programme, in which ‘students’ each work on an open-source project, guided by mentors from their selected project. It’s a fantastic idea with good momentum and hype behind it; 3,400 students in nearly 100 countries have been accepted since its 2005 inception.
On the back of this, an article recently asked where the “Summer of Documentation” was; this gave me an idea. My favourite lightweight Linux distribution, SliTaz, is a young but already-excellent product, but is in need of a little TLC. @jpeg recently posted on the SliTaz Forum that the handbook and cookbook have not seen quite as much attention as they deserve, especially with the release of the latest SliTaz 3. I’ve advised developers in a previous post to shout out how great their efforts are with (better?) documentation; SliTaz deserves to show the world how simple and easy-to-use/fix it really is and I think this is a perfect way to do it.
So… :-)
I’m Free!
As a software developer, the issue of copyright and distributivity can be a contentious issue. Some coders want to keep total control over their work, others want to share it among users.
Usually, software developed in a proprietary manner; I define this as many developers working for one company, which hides the wares from anyone else. This one company wants to capitalise on their idea — and efforts — only for commercial gain. Secrets agreements or clauses in contracts Often binds the development team and their efforts to that one company; many developers work for just one cause, their employer.
I understand perfectly that this enhances the reputation of the company and arguably their value to the field for producing their wares. But why constrict the clever chaps (and chap-esses) to just that one company? They can show off their skills and hours to the world, while remaining affiliated with that company. Surely this is even more effective marketing than just quoting the millions of pounds made from purchases?
I license my code as free and open-source software (FOSS) so anyone can use obtain and use my work, however they want to. I do this for a number of reasons:
- It allows anyone to use my work, without being restricted to a certain number of copies or, say, running it on a certain number of computers;
- Anyone can include my work in theirs (as long as they reciprocate and attribute me!);
- I can use others’ work and include it in my own, to solve problems or to add extra stuff;
- Whoever is involved in the projects can gain exposure by creating such useful software, especially with the people to which it matters most;
- Other people can provide support in forums, mailing lists, social networks and other resources more easily, by reading the code and the problem hoping to find the missing link between them;
- The combination of exposure and support means that feedback and improvements can be provided from all people involved in its use, from end-users to senior figures.
- The free software licensing ensures it is kept free forever.
My passion for and admiration of free and open source software has led me to join the Free Software Foundation, more specifically their European branch. I’m a proud member of this group as feel it also shows a true commitment to free software and my principles. By providing a financial donation equivalent to two pints of beer a month, I help sustain the Foundation and the awareness, industry protection, campaigns and communities it creates.
I carry around with me the smart-card; on it I store some geeky stuff for encryption, signing and logging in to my computer (yes, that geeky!). None of that was why I like this card, though; it signifies that I constantly and consistently abide by my free principles. Each time I open my wallet to show off a business card, borrow a library book or just buy a loaf of bread, the bold colours and title stands out for all to see.
All the code projects I am part of are free and open. Many cost no money to obtain. I am proud to be part of each and every one, in any case. I do so on the condition that the company also recognise my commitments, totally without force. Spreading the ideas and principles of free software and openness among the computing community — or any other — allows people like me to share my ideas and work more freely.
Don’t Miss DEFT: v5X Review
Almost two months have passed since Stefano Fratepietro released the ‘100% Italian’ forensics distribution, DEFT Linux v5X. With support to its development given by the Italian Information System Forensics Association, this 660MB+ Xubuntu-based distribution is one not to miss.
This short paper identifies requirements of forensic Linux distributions regarding boot-time file-system handling. Maxim identifies a couple of issues with boot-loaders & initialisation scripts and compares leading products for their vulnerability.
FreeBSD: 101… and a bit
In the last post in this three-parter, we installed FreeBSD on to either a physical or virtual computer. Now we need to apply some basic configuration to adjust permissions, choose a graphical log-in manager and start the desktop. Don’t worry, though: it’s very straightforward!
CAINE 1.5 - “Shining” Example of Concious Development?
Four weeks ago I reviewed CAINE v1.0, the first full release of the Italian computer forensics LiveCD. It took the development team a mere six weeks to release version 1.5; how much an improvement is this edition? How far can one distribution go in such a short time to reach such an increment?
Discusses the use of virtualisation to facilitate analysis of imaged suspect storage. While the virtualised environment differs greatly from areal-world set-up, this method can prove powerful for live file analysis and/or re-creating the basics of the system.
One Step to Admiration and Appreciation
So often doing something is simply not enough. You need to show what has been achieved, talk about it, point out how other people can use it, build upon it. Most importantly of all, though: write about it.
CAINE v1.0 Released & Reviewed
It may be said that Linux distributions are like buses: we can wait at the roadside and see many interesting things go by, when we are waiting for our favourite to come around the corner it seems an age and we worry we’ve missed something, the old adage that we wait and - eventually - many turn up at once. No more true is that than now because Ubuntu has just had a new release, Fedora is currently in beta awaiting its finishing touches and, our feature presentation, CAINE has just turned the big one-point-zero.
FreeBSD: 101
The majority of content here focusses on the GNU/Linux operating system because it is freely available to obtain, install and use. An alternative lies in its perhaps lesser-used cousins, the BSD family. While slightly more technical, they are an equally ultra-reliable bunch. If Linux isn’t quite your thing, you may wish to use FreeBSD instead. It’s good idea to at least acknowledge these alternatives exist so I’ve put together a quick How-To guide to get you started using FreeBSD. I do so using virtualisation in Sun’s VirtualBox software, but it makes no difference in terms of the end result.
I aim to provide a guide to get FreeBSD up and running more quickly than following the FreeBSD Handbook, an excellent resource should you get stuck. These posts are for those coming from using Linux, so will assume a decent knowledge of Linux and that you’re not afraid to learn! This post runs through the installation routine; later posts applies some important post-installation configuration to give a solid base system. (We do not, however, discuss any troubleshooting.) An outline of the OS will follow but there’s only one real way to find out, right?
Harden a Linux Kernel
At the core of any operating system is its kernel, the basic software code that manages system resources and where all code between application and computer passes through. One can imagine that as this software is at the most basic level, it is a prime target for exploitation.
This disadvantage can be turned around, however; by introducing or imporving security measures at this level means that it can be an effctive barrier on all later levels. Many projects exist to do so:
- Security-Enhanced Linux from the NSA is built into common desktop Linux systems. Gaining popularity through the Fedora Project, SELinux is available for Linux, FreeBSD, OpenSolaris and Darwin (Mac OS).
- The Linux Intrusion Detection System (LIDS) is a patch applied on top of the Linux kernel and provides security through rule-based access control. It suppresses the all-access power of the super-user (root) while so limited damage can be done to the system. It also protects itself through a strong password authentication mechanism.
- RSBAC has been implemented in to the Linux kernel since 2000 and provides access control, similar to LIDS, along with other goodies.
- Finally (though I suspect many more exist) grsecurity is aimed at web servers or those that accept remote connections. Emphasis is placed on buffer overflows and other more low-level vulnerabilities.
Interesting tutorial to create one file that is both a JPEG and a ZIP.
Bringing the Basics Together
From the previous few posts, I’ve touched on a number of resources that focus on the concepts of digital forensics. From the outset, digital forensics is often seen as a classy, high-tech operation bringing reams of information at the quick touch of a few buttons. The reality, however is slightly different. While an investigator can often find what they were looking for quickly, more and more data — that is, raw data — than ever before must be collected and processed. If you have something to hide within the gigabytes of data you undoubtedly possess, you’re going to do anything you can to keep someone from seeing it when they look. It is ever the careful and methodical process that traditional forensics was and will be.
Consise yet wide-ranging overview presentation of many of the concepts of using F/OSS in forensics. If you don’t understand some of the terms used, research them as background.
- Who Are You? And What Do You Want (to do with my stuff)?
- On Your Docs, Set, Sprint!
- I’m Free!
- Don’t Miss DEFT: v5X Review
- Pitfalls of mounting file systems - Suhanov Maxim [PDF]
- FreeBSD: 101… and a bit
- CAINE 1.5 - “Shining” Example of Concious Development?
- Computer Forensic Analysis in a Virtual Environment -- Bem & Huebner, IJDE [PDF]
- One Step to Admiration and Appreciation
- CAINE v1.0 Released & Reviewed
- FreeBSD: 101
- Harden a Linux Kernel
- Excellent Trick on JPG Images. An Image That Contains Images | Jeez Tech
- Bringing the Basics Together
- Digital Forensics using Linux and Open Source Tools -- Bruce Nikkel [PDF]
