As a tip for all my Facebook friends, despite the promises you see spreading wildly across Facebook, you can’t see who’s looking at your profile. If you ever see anything like this, it’s a scam – pure and simple:
If you ever see a page like this, or one that asks you to paste a script into your address bar as this one does, please immediately report the page. If you see any of your friends ’like’ a page like this or send messages linking to something like this, please warn them – they have likely handed their account over to a scammer or other bottom-dwelling script-kiddy.
If you were unfortunate enough to get a message from a friend and believe what it said; your account is in somebody else’s hands and is being used to spam your friends with a message recommending the same scam to them. Odds are, your account will later be sold to others for spamming – Facebook accounts are sold thousands at a time, and last I saw they go for about $3 each, sometimes more if a person has enough friends.
The best thing you can do if this happens to you is change your password, check the email address and other information listed on your account, then check all of your permissions, including what applications have access to your account. These people move fast, and they can sell accounts several times over, so don’t assume once you change your password all will be good – they’ve probably changed your email address or opened some other means to take your account back so they can keep making money from it.
Be careful and be paranoid, there really are people out to get you.
It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge.
For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent.
This is part of the Insane Ideas series. A group of blog posts that detail ideas, possible projects, or concepts that may be of interest. These are ideas that I don’t plan to pursue, and are thus available to any and all that would like to do something with them. I hope you find some inspiration – or at least some amusement in this.
There are many ways to invest in a variety of things, though there is one hugely promising front that has barely begun to emerge, that could have massive potential for profit, and incredible ramifications: the ability to invest in individuals.
I recently wrote a review on Active Measures by Thomas Rid – which helped me to solidify my thoughts on social media, and the impact it has on society. While Active Measures is focused on disinformation campaigns, it also speaks to the vulnerabilities in humans that allow these campaigns to work. Disinformation is a substantial issue today, and not just in terms of election interference, public health, or international relations – but also in much smaller scale unorganized efforts to alter perception.
Recently Vice published a story about a lawsuit against the makers of the ‘secure’ messaging application Confide. This isn’t just a lawsuit, it’s a class-action lawsuit and brought by Edelson PC – an amazingly successful (and sometimes hated1) law firm – this isn’t a simple case. The complaint includes a very important point:
Specifically, Confide fails to deliver on two of the three requirements that it espouses as necessary for confidential communications: ephemerality and screenshot protection.
Whether you are running a bug bounty, or just want a useful way to classify the severity of security issues, it’s important to have a threat-model for your application. There are many different types of attackers, with different capabilities. If you haven’t defined the attackers you are concerned about, and how you deal with them – you can’t accurately define just how critical an issue is.
There are many different views on threat models; I’m going to talk about a simple form that’s quick and easy to define.
