ENTRIES TAGGED "privacy"
This controversy impacts everyone (and here's what we can do about it)
As a cyber security author and CEO of a security consulting company, I was personally shocked by the RSA’s attitude about the alleged secret payments it received from the NSA as well as its willingness to weaken its BSAFE product; especially after the weakness became public in 2006. I was even more shocked by the lack of outrage shown by many security bloggers, analysts, and security company executives.
The speaker-in-protest count has reached 13 speakers who have canceled talks they were scheduled to give at the RSA Conference (RSAC) next week, first and most notably, Mikko Hypponen, who published this open letter. A few outraged others have also spoken out about their decision to cancel their talks, including Dave Kearns and, via Twitter, Adam Langley and Josh Thomas.
The need to root out old data goes well beyond creating disk space
A couple weeks ago Brian Krebs announced that Adobe had a serious breach, of customer data as well as source code for a number of its software products. Nicole Perlroth of The New York Times updated that to say that the breach appears to be much bigger than thought and, indeed, Krebs agrees. Adobe themselves announced it first, earlier than Krebs’s first report in CSO Brad Arkin’s terse blog post, Illegal Access to Adobe Source Code.
By now, breaches are hardly news at all. All of us pros flat out say that it isn’t a matter of *if* you get hacked, but *when*. Adobe’s is of note solely because of the way that the news has dribbled out. First, the “illegal access” to source code, then the news of lost customer data to the tune of 2.9 million, then upping that to 38 million, but really actually (maybe?) 150 million. The larger number is expired accounts—or something.
Not just paying attention, but starting over
Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that “we need to start planning for a computing world with minimal trust.”
So what are our options? I’m not sure if this ordering goes precisely from worst to best, but today this order seems sensible.
Stay the Course
This situation may not be that bad, right?
Thanks NSA, you've spoiled mobile crowdsourcing for everyone else!
The continual drip-drip-drop of NSA secrets, courtesy of Monsieur Snowden, has provided many of us with a new piece of daily entertainment. But as much fun as it can be to see No Such Agency’s dirty laundry being aired in public, it has a real and lasting affect on how consumers are going to see interacting with their mobile devices. Specifically, it could provide a major setback to the new universe of applications that use crowdsourced data.
There are lots of examples of highly successful apps that are essentially just aggregations of user-provided data. Yelp comes to mind immediately, but another good example is Waze. In both cases, users are providing the service with some fairly private information, where and when they were at a particular location. Waze is even more sensitive, because it is also recording your speed, which might be a bit higher than the posted limits.
Long a development tool, TestFlightApp wants to move into analytics
For most iOS developers, TestFlightApp has become the go-to tool when they want to distribute a development build to testers. For those not familiar with the site, you can register applications, and then upload IPA files signed with either a development or AdHoc profile, either manually or using a desktop app that integrates directly into XCode.
Once uploaded, your testers can be automatically notified via email that there is a new version of the app available, and download it directly onto their device without having to use iTunes. It can even capture device IDs for new users (or new devices for existing users), and export them for use in the Apple developer portal.
You can also add code to have the running app check in with TestFlight. You can add “checkpoint” flags, ask survey questions (“why did you come to this page”), and have console logs and crash reports automatically uploaded to the site.
The problem is, once you’re ready to ship a production version, you have traditionally had to turn everything off and make sure that the Test Flight library was not linked in to the app. This has meant that there was no way to capture crash data from customers running the app. But now that’s changing.
Recently, TestFlightApp announced that it was now OK to leave the library in copies of your app uploaded to the App Store, and to have the app check in with TestFlight. Why the change? Probably because it is needed to support FlightPath, their new analytics tool. FlightPath seems to want to be the Google Analytics of mobile, allowing developers to see how customers use their app and offering demographic data.
FlightPath is likely to be the path that TestFlightApp takes to start monetizing their service. TestFlightApp has always been free, but there has been no pronouncement about whether FlightPath will follow that same model. It is currently in an open beta, so we may have to wait and see what the pricing model for the final product is. Of course, by then, all those beta users will have become hooked.
One major caution for people intending to keep TestFlight in their production code, watch out for leakage of private data! Many test builds spit out tons of information to the console. At times, I’ve had everything going back and forth to a server dumping itself onto the log. If you don’t disable that in the shipping code, you could be accidentally capturing all sorts of sensitive data, including credit cards, HIPPA restricted information, etc. So make sure that you have compiled out (or disabled) anything like that in the production build (which you can test with an AdHoc profile.)
Isis Mobile Wallet is coming this summer, Canada gets its first mobile wallet, and NFC benefits may trump privacy concerns.
Isis announces Mobile Wallet partners and a rollout plan, Rogers Communication and CIBC partner to bring a mobile wallet to Canada, and a look at the theoretical benefits of NFC. (Commerce Weekly is produced as part of a partnership between O'Reilly and PayPal.)
Why remotes need buttons, lawmakers need a clue, and life-critical software needs many eyes.
The latest rumors have Apple eyeing the remote control market, but does minimalistic design work for remotes? Australia wants to impose requirements on ISPs, but at what infrastructure cost? And would you let closed-source software keep you alive?
Financial Times goes all-in on its web app, Flickr puts up fences, and daily deal fatigue sets in.
The Financial Times says subscriber data trumps Apple's reach, Flickr introduces geofencing to keep things private, and the cracks in the daily deal world start to show.
MySQL is missing from Lion Server, and Apple gets a slap on the wrist from South Korea.
A pre-installed version of MySQL is noticeably absent from Lion Server, South Korea penalizes Apple for the location brouhaha, and Java 7's compiler injects a bit of randomness into software development.
Suing your suppliers, tracking your customers, and giving away your assets.
In the latest Developer Week in Review: Everyone sued everyone else, the iPhone's location abilities instigated lots of discussion, and Oracle let Open Office fly away home.