• Home
  • About
  • Blog
  • News
  • Events
  • Media
  • Video
  • Glossary
  • Contact
  • Download
  • RSS

Shouting fire in a crowded Twitter

September 22nd, 2010  |  by jz  |  Published in cybersecurity, Future of the Internet  |  3 Comments

Tweeting has become a foundational Internet technology.  It’s not even dependent on the World Wide Web — people can send and receive tweets without having to visit twitter.com.  And the act of tweeting isn’t even unique to Twitter — many other Internet platforms are seeking to compete by allowing people to “emote” an update to a self-designated group of followers.  Thus Facebook has made central its desire to know “what’s on your mind,” and many other sites are seeking to let people casually share what they’re up to, such as users of Google Reader sharing items that they find interesting.

Foundational technologies like this can attract attacks the same way that banks beckoned Willie Sutton: crooks go where the money is.  Here the money is people’s browsers and PCs; compromise them and you can potentially access their passwords, personal information, and even cause them to pay the attack forward — involuntarily tweeting the next attack vector.  With many interlinked users, a vulnerability can be exploited with lightning speed.  It’s a reminder that a feature we cherish about the Internet and Web — linking disparate people and sites seamlessly together — can also be a problem.  Consider a standard Web page at, say, nytimes.com.  You’re visiting the New York Times, and that’s where the page is thought to come from.  But in a venerable practice echoed by nearly every other online news and content hub, nytimes.com serves up banner ads from a vendor like doubleclick.net.  Your computer visits doubleclick at the instant of rendering the page for you so the an ad can appear in its designated real estate.

In fact, given its popularity as an ad server network, your computer probably visits doubleclick.net more than most any other site — even though you’ve likely never asked to go there yourself in your Web surfing.  Doubleclick in turn gets the ads it runs from its customers: companies who want to sell you something or otherwise try to get to you click on their ads.  So: visiting one site actually means you’re visiting a third party site, which in turn is getting information from fourth parties.  Even the most careful site can thus become host to malware, if the ad content is designed to attack your browser, not just appeal to your eyeballs.  Just ask the New York Times, which suffered this problem last fall.  It’s akin to the fact that a hamburger from your favorite fast food outlet contains the meat of 100 cows from three continents.  If just one source has E.coli — watch out.

What to do about it?  In the short term: backup your data, update those virus definitions, and use an obscure browser, figuring Willie Sutton will go for the big banks over the small savings and loan.  Over the longer term, we’ll need defense mechanisms that can react as speedily as an attack can hit — at least enough to eliminate its viral quality when passed around through a platform like Twitter.  Ideally those platforms would be distributed rather than orchestrated by a handful of security vendors, so that the ability to block bad code isn’t so readily triggered by a single gatekeeper — or a government that can pressure it.

That’s because what’s true of code is also true of content.  Perhaps a deeper lesson of this flash-in-the-pan Twitter pandemic is its suggestion of how quickly a meme can spread.  Someone tweets a fascinating but false statement and it gets retweeted and retweeted — with no easy way for a correction to chase after it.  Once alerted to yesterday’s virus problem, Twitter could set up an automated system to look for manifestations of dangerous code in a tweet and squelch it.  Should we sleep better or worse with the thought that the same technique could be applied to another kind of clear and present danger: falsehoods designed to wreck a business, ruin a reputation, or incite a panic.

[A shorter version of this entry appears in the NYT's Room for Debate blog.]

Responses

Feed
  1. Seth Finkelstein says:

    September 23rd, 2010 at 1:51 am (#)

    > … and use an obscure browser …

    Ah, but this doesn’t work overall, because everyone can’t use an obscure browser 1/2 :-). It’s not clear to me which browsers might not be affected, given basic JavaScript functionality.

  2. John Pratt says:

    September 23rd, 2010 at 3:08 am (#)

    I have to say (open source flag held high) – since I moved to Ubuntu 4 years ago – I’ve never (not once) had to worry about virii or malware. I can definitely see you concerns, since Windows-using friends have asked me countless times about the Twitter virus. Another point you’ve raised, people definitely underestimate what they are subject to “lose” if their system dies, crashes, or is attacked. Their music, their contacts, their passwords, their photos, their work, etc. Pay attention, update, and backup – or die.

  3. Andrew says:

    September 28th, 2010 at 2:47 pm (#)

    Pretty disappointing that a “foundational Internet technology” is completely in the hands of a small handful of one corporation’s engineers.

Blog

  • Dropbox Ran Afoul of Apple’s App Store Review Guidelines: So What?

    • Last week, a number of developers reported that Apple was rejecting iOS applications that used Dropbox, a popular cloud file storage and backup system. An initial thread on the Dropbox developers’ forum has led to a outpouring of tech news full of hyperbolic claims. However, none of this reporting has covered the real problem – Apple is now more concerned about protecting its business model than serving its users or its developers.  Read more »

  • Help pioneer Casebook: The Next Generation

    • We at the H2O project are seeking a full-time Project Manager. H2O is an online platform for textbook development and distribution, currently in a pilot stage. H2O is based on the open source model – instead of locking down materials in formalized textbooks, we believe that course books can be free (as in free speech) for everyone to access and, equally important, build upon.

    Using H2O, professors can freely pull together materials for a course by selecting cases, editing those cases to the sections that are most relevant, and grouping them into readings. Once the materials are assembled, they can be copied in part or in whole by other interested faculty and then edited further.  H2O has been successfully piloted in JZ’s 1L Torts class, and will be rolling out further over the coming year.

    H2O’s project manager will play a leading role in shepherding H2O into its next phase, which will focus on developing new materials and incorporating additional features, in order to expand the platform beyond its law school roots.

    H2O is a  joint project of the Berkman Center for Internet & Society and the Harvard Law School library.  The Project Manager will be housed at the HLS Library and work in close collaboration with lead members of the Library Innovation Lab team; he/she will also work closely with the Berkman Center and current H2O teams. More info and job posting here.

  • Meme patrol: “When something online is free, you’re not the customer, you’re the product.”

    • I participated in the Berkman Center’s fascinating HyperPublic symposium in the summer of 2011.  When moderating a panel I invoked the aphorism that “When something online is free, you’re not the customer, you’re the product.”  It’s a way of encapsulating the idea that online free services usually make money by extracting lots of data from users — and then selling that data, or using it for targeted availability of those users for advertising, to advertisers.  In that sense, the advertisers are the clients, and the users enjoying free content are what’s being sold.  (Of course, sometimes that happens even when the user pays.)

    I didn’t coin the phrase, and since it was featured (and attributed to me!) in wordsmith.org’s wildly popular “word a day” as a thought for the day accompanying the word “enceinte” — I sought to nail down its provenance.

    The first use of the quote that we can find is as a comment within the famed MetaFilter community  in August 2010. The user’s name is blue_beetle, who might be someone named Andrew Lewis.  It’s entirely possible I saw it there, as MeFi is one of my five favorite sites on the Web.

    Similar sentiments (whether drawn from that source or independently invented) have been expressed by Bruce Schneier in October 2010 and by Douglas Rushkoff in September ’11.

    The phrase “you’re the product” also apparently appeared in a 1986 speech by President Reagan about the drug war.

    Just say know.

    –KA and JZ

  • OS X Mountain Lion and Gatekeeper

    • This week, Apple announced that it was moving to a new, faster OS X operating system development cycle, starting with the release of Mountain Lion next summer.  It previewed a number of features for the OS, and released some parts in beta.

    Mountain Lion is slated to include a feature called Gatekeeper as part of the security and privacy settings. Gatekeeper allows administrators (those with full privileges on a Mac) to limit the applications that can run on the Mac.  They can choose among allowing apps downloaded from the Mac App Store only, or apps from outside the Store so long as they are digitally signed to Apple’s satisfaction by their developers, or apps from anywhere.  (The latter has been the way both Mac and Windows PCs have worked, for better or worse, since the introduction of the Apple II in 1977.) Read more »

  • GPS-based Insurance Rates: The Devil is in the (Data) Details

    • A British insurance company called Motaquote has teamed up with TomTom, the GPS manufacturer to offer insurance prices based on data gathered by GPS. Fair Pay Insurance, Motaquote’s new program, is an opt-in insurance pricing scheme where drivers will get a free GPS unit in return for potentially lower (but possibly higher) premiums. The GPS unit will provide all the traditional navigational services as well as warn drivers when they corner too sharply or brake too hard. Read more »

About Jonathan Zittrain

jonathan zittrain

Jonathan Zittrain is Professor of Law at Harvard Law School and co-founder of the Berkman Center for Internet and Society at Harvard Law School

RSS Tweets from Z

  • An error has occurred; the feed is probably down. Try again later.

Blog Archives

Creative Commons BY-NC-SA Jonathan Zittrain unless otherwise noted.
Powered by WordPress using Gridline Lite.