Saturday, December 12, 2009

How to increase the PHP session timeout time in a shared host?

I found this link useful.

(In a shared host, you've got to have your own folder to store your session data; otherwise, the garbage collector (which is invoked with the probability session.gc_probability(default value is 1)/session.gc_divisor (default value is 100) based on the global session timeout time session.gc_maxlifetime) may inadvertantly erase your session data).

Here's what I have at the top of each php file (extracted from the above link):


<?php
$id
= session_id();
if (
is_null($id) || strcmp($id, "") == 0) {
$cookie_path = "/";
$cookie_timeout = 60 * 60; // in seconds
$garbage_timeout = $cookie_timeout + 600; // in seconds
session_set_cookie_params($cookie_timeout, $cookie_path);
ini_set('session.gc_maxlifetime', $garbage_timeout);

strstr(strtoupper(substr($_SERVER["OS"], 0, 3)), "WIN") ?
$sep = "\\" : $sep = "/";
$sessdir = ini_get('session.save_path').$sep."ek_sessions";
if (!
is_dir($sessdir)) {
mkdir($sessdir, 0777);
}

ini_set('session.save_path', $sessdir);

session_start();
}
?>



Friday, December 11, 2009

Can I know who’s viewing my FB profile?

FB Answer: (Merely browsing won't track you down (unless you consent to install an app that may track your moves). Good news for stalkers???)
Facebook currently does not provide an application that allows users to track profile views or statistics on the views of any specific user content. Third party developers, however, may offer applications that provide some of this functionality. Please keep a few things in mind for these applications:

Applications CANNOT track profile visits for users who simply go to another person's profile; Facebook has made this technically impossible.

In order to be tracked by an application, you will need to specifically agree to allow the application to track your actions.

Adding an application that provides this functionality is purely optional. If you do not want to participate, please do not add the application to your account.

Apparently, if you develop a such FB application to track users who visits your profile, it's a violation of terms.

I have seen claims about being able to track visitors your profile in FB, they simply seem to be incorrect. I have also seen claims about this ability in other social networks, but I don't know the truth behind such claims.

A question for social networks in general:
Is it good or bad for FB to provide the functionality to see profile stats to profile owners? pros/cons for FB? pros/cons for users (owner, viewers)? [IMO, this is a multi-faceted question; there is no definitive answer - need to consider many different aspects; and I am not in a position nor knowledgeable enough to answer this question.]
I, as a user, personally prefer if FB provides at least some anonymous statistics.

Monday, December 7, 2009

What others can collect from your browser?

BrowserSpy

Are we risking only privacy in social networks?

The answer is a clear no. In fact, I recently noted some possible security threats by just revealing your DoB alone. Some more simple layman thoughts on it..(in this post I am not talking about technical vulnerabilities of the social networs; there have already been several exploits)

We are kinda addicted to social networks such as facebook, twitter, myspace etc. Social networks are great to get connected with old friends and stay in touch with friends and families. And also to be up to date with technology, news, what's happening around us and know what others are upto. We love interacting with others and being connected. There is nothing wrong about it; but there is a limit, above which it could be harmful. The whole network works based on trust. Just one weak link of trust is sufficient to cause all sorts of troubles.

a couple of examples:
social networks - physical security??? an interesting combination!
We have seen people tweeting or facebooking, where they are, what their vacation plans, etc. This could be good information for burglers -- we invite and help burglers to break in.

one social network - and the rest???
There are so many social networks out there..chances are that you are only in a subset of them. Say you are in Facebook and not in Myspace. What does it prevent a bad guy from impersonating you in Myspace? Further, the impersonator can trick your friends to be her friends.

Sunday, December 6, 2009

United we stand divided we fall

(United we prevail divided we fail)
I am afraid to say that it is us, the ordinary citizens of SL, not them (who try to get into power or want to keep the power), who are going suffer due to on-going divisions in the country. Don't get me wrong; any country should have a strong opposition to have better governance (so that those who in power do not abuse it). But 50 years after independence we are unable to get rid of the narrow minded attitude to do whatever it takes to come to power or to continue to be in power.

Thursday, December 3, 2009

Why I don't have the DoB listed in FB?

If you noticed my FB profile, I only list the birthday (not the DoB). I am not listing the DoB, not because I don't want to reveal my age (of course, someone who is knowledgeable about the contextual information about the FB groups I am in (e.g. Saint Aloysius College - 1998 batch, UoM 1999/2000 batch, etc.) could infer my year of birth), but because of security reasons. DoB - Security??? do you see the connection?

The other day I went to my bank to withdraw some money, but I forgot to carry my bank card which has the bank account number. So I had to show/prove the possession of other credentials. After getting a photo ID of mine, the next thing the operator asked from me is my DoB. Imagine now someone faking my photo ID and having my DoB listed online, walk to the counter. What does it prevent that someone from withdrawing money from my account?

There are even greater consequences; There have been research suggesting correlation of public information to your SSN number. SSN number is confidential information; only certain service providers such as bank, rental office, insurance company, utility providers, know it; leaking it could be a disaster.


Recently, researchers from CMU have cleverly shown that one can narrow down the possible SSN numbers an individual can have using public information available. If the attacker knows your DoB and location, they can guess your SSN with high probability:

Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration’s Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.


SSN has the format xxx-xx-xxxx (Area Number (AN) - Group Number (GN) - Serial Number (SN)); AN and GN are location specific and anyone can get the list of numbers assigned in each state. This reduces the entropy as some level of randomness is sacrificed. You might wonder why AN and GN are predictable? Well, one reason might be that it could be helpful to identify impostors by checking based on the location of the person that she provides.

Here's a pattern that they have discovered (from the paper):

The above figure shows the distribution of AN, GN and SN number (y-axis) in Oregon in 1996 for some publicly available records. The x-axis is the 365 days which represent the DoB's of those people in the records. Notice the correlations.

The paper also mentions about the dramatic reduction of entropy of the SSN numbers. (For better security you need to have higher entropy. If you can inject more randomness, you get higher entropy and it becomes less predictable.)

Without auxiliary knowledge, the theoretical entropy of an SSN can be estimated at 30 bits (in log2).
The more granular knowledge of the assignment scheme that we have shown to be inferrable significantly decreases that entropy (for some states, down to 11 bits).

The point is that one piece of information alone may not be an interesting asset to an attacker and hence you may think it is safe. However, it is the correlation of different pieces that makes attackers life easier. With social networks and other online web sites booming, different pieces of our personal information are available through different locations. These public information could be used by attackers to engineer attacks which we may not imagine in our wildest possible dreams. (In short, the more public information available about us, the less entropy for our confidential information.)

Note: It would be much better for me from the security PoV to completely hide my birthday in FB. You might be wondering why I am not doing so; privacy is a strange thing; it is an economic good; it has trade-offs. I currently perceive that the benefits over-weighs the threats :-)
(Maybe I'll write about the privacy economy in a future blog; there has been a lot of research in this topic for quite some time.)