In order to get box.com to work on my computer, I had to enable TLS 1.0, 1.1, and 1.2 in Internet Explorer, even though I almost never use IE.
I had turned off all three versions of TLS on security grounds. As a result, I kept getting an error message when I tried to log into Box Sync on my computer (“Cannot connect”).
Box.com help desk’s explanation for the requirement — amazingly — is that SSL 3.0 is not secure so they don’t use it. It’s true there have been issues with SSL 3.0, but TLS, as I understand it, has the same issues plus much worse. [UPDATE: Dan Riley explains why I have it all backwards in the comments.]
On the positive side, I only figured out the source of the problem thanks to efficient and friendly work from ‘Ashley’ at the box.com help desk, so they are doing something right.
We identified three types of scams happening on [Chinese dating site] Jiayuan. … Another interesting type of scams that we identified are what we call dates for profit. In this scheme, attractive young ladies are hired by the owners of fancy restaurants. The scam then consists in having the ladies contact people on the dating site, taking them on a date at the restaurant, having the victim pay for the meal, and never arranging a second date. This scam is particularly interesting, because there are good chances that the victim will never realize that he’s been scammed — in fact, he probably had a good time.
Would be a nice tort problem if I taught fraud (and I should).
Spotted via via Schneier on Security: Online Dating Scams.
How Verizon and Turn Defeat Browser Privacy Protections
Verizon advertising partner Turn has been caught using Verizon Wireless’s UIDH tracking header to resurrect deleted tracking cookies and share them with dozens of major websites and ad networks, forming a vast web of non-consensual online tracking. Explosive research from Stanford security expert Jonathan Mayer shows that, as we warned in November, Verizon’s UIDH header is being used as an undeletable perma-cookie that makes it impossible for customers to meaningfully control their online privacy.
Mayer’s research, described in ProPublica, shows that advertising network and Verizon partner Turn is using the UIDH header value to re-identify and re-cookie users who have taken careful steps to clear their cookies for privacy purposes. This contradicts standard browser privacy controls, users’ expectations, and Verizon’s own claims that the UIDH header won’t be used to track users because it changes periodically.
This spectacular violation of Verizon users’ privacy—made all the worse because of Verizon’s failure to allow even an opt-out—has already had far-reaching consequences.
UPDATE (1/17/15): Ad Network Turn Will Suspend Zombie Cookie Program. When Will Verizon?
“The kale salad of a perfect response”
— student in my Internet Law class.
The context was why people saying nasty things online have an advantage, one reason being that it takes time to craft the kale salad of a perfect response.
I just joined Ello, the ad-free, public-spirited, clean-design alternative to Twitter.
It’s pretty, and I like the spirit of the thing, but I’m not sure yet what I’ll do with it — many of the accounts there seem much more graphics-oriented than I am. Not to mention cooler.