The security community echo chamber was rocking hard over the weekend with news of an online backup/sharing service, Dropbox, changing its Terms of Service to grant them “worldwide, non-exclusive, royalty-free, sublicenseable rights to…” do basically anything they want with your content. From Dropbox’s point of view, this is the sort of thing that they claim they need to have in order to provide you the service. That may or may not be true, but it was probably something their legal counsel told them that it would be in their best interest to include.
I still believe that the presentations and panels being selected for most information security events are much too far removed from the “roots” of the art. Often times to the extent that there is a full slate of presentations where most sessions turn out to be less glorified keynotes with little more than feelings, whether warm fuzzies or cold pricklies, to take home with them. This is a negative thing for many reasons, but before we start lets makes sure we’re speaking the same language.
The question sounds crazy, especially for someone who’s spent a fair amount of the last year working on making spam and other malicious message detection on social networks better. But we do a disservice to tools geared for protection when we don’t think long term about the consequences of them. Does better spam detection on say twitter for example reduce the total amount of spam that users see, or does it just change the signal to noise ratio?
The Facebook data team released some interesting data a few days ago focusing on the connectedness of their social graph, taking six degrees of Kevin Bacon and looking at how many connections away from each other any two people on the network are. From their research it seems like more than 90% of people on the network are seperated by only four degrees, meaning that any person A has a friend that knows a friend of Person B.
Last week I had the opportunity to attend the first public planning/brainstorming session for the DHS seeded Open Information Security Foundation and their next generation IDS project. Lots of good discussion, with the first couple hours focusing on the foundation itself, and the rest of the day was spent discussing various features that would be required by the IDS and roughly prioritising them into “version 1″ or “later” categories. For those of you who aren’t familiar with OISF, they were created primarily to build this next generation ids, and license it under GPLv2, but also allowing less restrictive licensing to vendors who don’t want to reveal/publish proprietary additions/plugins, and providing a safeguard against taking a source tree private/commercial.