Google Does *Not* Own Your Data

As an information security professional I find that I am acutely aware of attempts by venders to propagate FUD and the media to sensationalize news. I was fortunate to attend SOURCE Boston last week and after watching Space Rouge’s talk, “Media Hype in the Information Security Industry” I feel compelled to not only be aware of misinformation but to point it out as well.

This brings me to Google Drive. With yesterday’s release of Google’s file syncing service there has been a lot of concern over privacy and intellectual rights. In particular, the media has latched on to the following section of the Google Terms of Service:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.

Most seem to believe this implies that by uploading files to Google Drive you are transferring ownership. This is not the case.

First, it is important to note that these are general terms of service for all Google products and is not specific to Google Drive. Second, this is only part of the “Your Content in our Services” section. The beginning paragraph clearly states:

Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

It’s likely that the offending paragraph is the product of an overzealous lawyer attempting to cover every eventuality for all current and future products and services. It is not entirely inappropriate given the functionality built into Google Drive. For example, when uploading a scanned document Google uses OCR to index the file. The system is effectively reading your document to better make it available to you.

This may or may not make you comfortable with using Google Drive. Regardless, I encourage you to read the complete Google Terms of Service so that you can make an educated decision on how much you are willing to share with Google.

Hackers & Choosing a Handle

Recently I re-watched the testimony provided by L0pht Heavy Industries to the U.S. Senate on May 19, 1998 (available on YouTube here). As members of the “hacker think tank” were introduced by their “hacker names” it gave me pause to contemplate my own online identity.

Personally, I hesitate to call myself a hacker. It’s not that I see any stigma with the word, quite the opposite. Hacking is part of my day job but when I think of hackers my mind turns to members of the L0pht and other well known names like Johnny Long, Chris Nickerson, Rob Fuller and Adrian Crenshaw. I believe myself to be a competent pentester (good enough to make a living at it and not embarrass myself in conversations with the people mentioned above) but it’s unlikely you’ll find me discovering 0days or writing exploits.

I’ve operated under a number of handles over the years, mostly N∅MAD or TAGG (a name given to me in the early 90′s by a dutch hacker… a story for another time). Unfortunately, by the time I finally decided to register a domain all the TLDs for every four and five character combination was long gone. This was equally true when it came to social media.

Currently you can find me on twitter as @ITSecurity. With such a simple name most people assume I was an early adopter. This isn’t true. Twitter was launched on July 15, 2006 and I did not create an account for almost three years (Feb 18, 2009). Even then I did not start out as @ITSecurity. Originally my username was @smaske. It wasn’t until June 24, 2010, almost four years after Twitter launched that I renamed my account.

I don’t recall what prompted me to change my username. Originally I created an account at the behest of my employer and at some point I figured using my given name was well… boring. Since Twitter names can be changed I thought I’d fall back on handles I’ve use in the past.

When typing, Twitter automatically checks for username availability without needing to press enter. I tried them all:

TAGG	      ↻ Checking…  This username is already taken!
N∅MAD	      ↻ Checking…  Invalid username! Alphanumerics only!
N0MAD	      ↻ Checking…  This username is already taken!
NOMAD	      ↻ Checking…  This username is already taken!

After dozens of combinations I figured I’d try something industry specific:

InfoSecGuy	↻ Checking…  This username is already taken!
ITSecurityGuy	↻ Checking…  This username is already taken!

ITSecurity… I paused to think of something else to append. “Dude?” No, that’s lame. “Pro?” No, that’s arrogant.

ITSecurity	↻ Checking…  Username is available.

Wait, really? It was too good to pass up. I clicked *Save*

As @ITSecurity, I’m just shy of 1400 followers (spammers & bots are blocked). I’m honestly not sure why people follow me. Perhaps they find my tweets interesting, perhaps it’s the username, perhaps they clicked follow by accident.

Using this account has had undesired results. @ITSecurity seem to be too professional of a username and I find myself occasionally censoring tweets. It also feels pretentious to introduce myself to someone with whom I’ve interacted with online but am meeting in person for the first time:

“Hi, I’m @ITSecurity.” – Ugh.

So, assuming you made it to the end of this blogpost, what do you think? Should I change my username? Is is pretentious? Have I invested too much time in the username to abandon it? I’d greatly appreciate your feedback. Please hit me up on twitter or leave a comment below.

How I Inadvertently Social Engineered the TSA

This post chronicles a run in (or lack thereof) with the TSA.
 
Back in October I finally got around to taking the CISSP exam (stay with me, it’s relevant to the story).  When the results arrived I thought it would be humorous to send an e-mail to my team with an image of a police badge saying that I had passed. After a quick Google search I stumbled upon ePoliceSupply a company that sells legitimate badges to law enforcement officers. The site has a great feature called “Visual Badge” that allows you to see the product with your custom text before ordering.  I quickly put together a mock-up and sent the e-mail.  The gag went over well and escalated until our boss directed the team to come to a consensus on the design and order them.
 
Fast forward a month later.  I’m on my way to ShmooCon waiting in line for a security check at Logan airport.  I go through the motions, empty my pockets, take off my shoes and jacket, remove my laptop and TSA approved bag of liquids, etc.  When it’s my turn to be screened I open my mouth to opt-out of the backscatter machine, but before I can say anything I’m waved over to the side.  “Okay”, I thought, “they’ve flagged me for a pat down anyway”, but this is not what happened.  The TSA agent opened the gate usually reserved for wheelchairs, motioned for me to walk through and escorted me to my belongings.
 
I couldn’t figure it out.  I hadn’t passed through the metal detector or any other type of scanner.  Why were they letting me go?  I didn’t wait to ask.  Gathering my belongings I continued to the gate and tried to puzzle through it while waiting for my flight.  Was I just subjected to some previously unknown test?  Did they just want to speed up the line by using a handheld metal detector but forgot to actually “wand” me?
 
I told the story to a couple of my coworkers and one asked about my badge.  Yes, it was in my carry-on and the bag was being screened at about the same time I was pulled out of line.  We’ll never know for sure but we surmise that the badge was seen on the x-ray machine and I was mistaken for an air marshal…
 
 

DISCLAIMER: At no point have I ever claimed to be a law enforcement officer and I did not in any way knowingly mislead the TSA.

2011: A Personal Introspective

Over the last couple of weeks many bloggers have recapped the top InfoSec news of the past year and put forth their predictions for 2012. I’m not going to do that, rather, I’m going to take a moment to recap my personal top moments of the year. In no particular order:

New Job – In April I made the decision to put away my luggage and make the transition from a road warrior to an in-house security engineer. It’s difficult to convey how much happier I am. It’s not just that I am no longer traveling; I find my new position much more stimulating, the people are easier to get along with and I feel I have the opportunity to grow as an InfoSec professional. I had also forgotten how nice it is to sleep in my own bed during the weekdays. It’s a luxury I won’t soon forget.

Passing the CISSP Exam – I finally got around to taking the exam. Say what you will about the CISSP (I’ll be right there beside you) but it is with a great sigh of relief that I can say I’ve put this milestone behind me. The subject matter wasn’t difficult; the hardest part was getting in the right mindset (security management methodology vs. real world experience). I’ve always been skeptical about (ISC)2 but with the recent election of Wim Remes to the Board of Directors, I have hope that they will bring real value to the community.

Podcasts – This is the first year that I fully embraced listening to InfoSec podcasts on a regular basis. This is mostly due to the discovery of the “Listen” app in the Android market which now allows me to take podcasts on the go. Previously I had listened to shows sporadically from my desk but this was infrequent since I was rarely in the office and it wasn’t acceptable to listen to them while at a client. My current subscriptions include (in alphabetical order):

  • Aluc.TV
  • Down the Security Rabbithole
  • Eurotrash Security Podcast: Security with funny accents
  • Exotic Liability
  • InfoSec Daily Podcast
  • Network Security Podcast
  • PaulDotCom Security Weekly
  • Risky Business
  • SecuraBit
  • Social-Engineer.Org PodCast
  • Sophos Podcasts
  • Tenable Network Security

This Blog – Creating a blog has been on my “to do” list for quite some time. Many thoughts and ideas have been set aside only to become old and stale simply because I didn’t have some way to express them. It is my hope that I will be able to bring value to the community which has given me so much. Speaking of which….

The InfoSec Community – There is nothing quite like it. Nowhere else have a felt such a sense of comradery than with the InfoSec community. It’s amazing how we can go to any city in the world and with a tweet, have dinner with someone we’ve never met in person but can connect with as if they were a long lost friend. I have met so many people this year. I don’t expect them all to remember me but I would like to thank the people below, just for being awesome:

  • Rob Fuller (@mubix)
  • Jack Daniel (@jack_daniel)
  • Josh Abraham (Jabra)
  • Paul Asadoorian (@pauldotcom)
  • Marcus Carey (@threatagent)
  • Jon Cran (@jcran)
  • Jason (@n00bznet)
  • Tim Mugherini (@bug_bear)
  • Stacy Thayer (@stacythayer)
  • Wolfgang Goerlich (@Jwgoerlich)
  • Schuyler Towne (@shoebox)
  • Andy Ellis (@csoandy)
  • Joshua Corman (@joshcorman)
  • Wim Remes (@wimremes)
  • Apneet Jolly (@Jolly)
  • James Baker (@ABCecurity)
  • Martin McKeay (@mckeay)
  • Bill Brenner (@BillBrenner70)
  • Wendy Nather (@451wendy)
  • Nick Owen (@wikidsystems
  • Michelle Klinger (@diami03)
  • Tom Williams (@1_tjw)
  • BoB Rudis (@hrbrmstr)
  • …and anyone I inevitably missed.

It was a pleasure to meet you all in person. Thank you again for letting me be a part of the community. I look forward to seeing you again in 2012.
 
 

Hello World! (Redux)

In the time honored tradition of programmers everywhere I begin this inaugural blog post with simplest of expressions:

"Hello World!"

I’ve considered starting a blog for quite awhile now.  Unfortunately, I have often been discouraged if not outright prohibited from contributing to the InfoSec community by my employers.  A couple of years ago that changed.  I started attending conferences more regularly and began interacting with the community on twitter (as @ITSecurity).

After some time I felt I was ready to break out of the 140 character limit and dedicate the time and effort to a blog, however life inevitably gets in the way. I changed jobs, moved to another state and celebrated a landmark anniversary. Things are settling down and I now work for a company that understands the value derived from interacting with the InfoSec community. I look forward to humbly putting forth what I can, when I can. Your your feedback and criticism are welcome.

Cheers,
Steven Maske
 
 

DISCLAIMER: My thoughts are my own and the opinions expressed here do not necessarily reflect the positions of my employer.