Recently a "wildcard" SSL (secure socket layer) certificate for Google (ie *.google.com) was found in the wild being presented by a non-google site from an Iranian IP address. This means that that server could impersonate any google website that has "google.com" in the name. In this way malicious operators could collect login information for many services, including email, and then scan email for more personal details to assist in identity theft, or direct login credentials theft to other sites, such as Paypal. (Many sites require you to receive email at a known email address to reset your password - this makes having control of someone's email an easy route to accessing accounts on other sites, perhaps even web banking.)

  The Economist, The Register articles on Google Certificate in the wild

Noted security researcher Moxie Marlinspike talks at the yearly hacker conference "BlackHat 2011" about recent issues with SSL, the secure socket layer, which protects most electronic communications on the internet and in some banking networks. In the second half of his talk he discusses the complexity of the designs of security for the internet, and some possible solutions to the current situation.

SSL and the Future of Authenticity: Marlinspike @ BlackHat 2011

Two recently released reports (one from the Office of the Privacy Commissioner of Canada, the other from the Office of the Information and Privacy Commissioner of Ontario) offer thorough, carefully considered looks at security and privacy in a world that relies increasingly on mobile and Wi-Fi internet.

The Canadian Privacy Commissioner issued her annual report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA). What follows is a snippet from the introduction to her report.

"Personal information has become a valuable commodity. Companies make money from the use of personal information – it’s no wonder that some would like us to believe that privacy doesn’t matter. [...] The pressure on privacy is not just the result of new social standards or new and captivating technologies. In the commercial sphere where PIPEDA applies, it chiefly comes from the fact that there is big money to be made in pushing the privacy boundaries."

The Ontario-specific Commissioner's Office released a more focussed report, examining the implications of security flaws in the information architecture of Wi-Fi Positioning systems. They come out strongly advocating a Privacy by Design model, as opposed to Open by Default, since we all know "the default rules".

"Privacy is predicated on providing users with personal control along with openness and transparency associated with one’s practices, which demonstrates respect for the user, and builds greater trust."

They give strong examples to indicate why there's a need for policy:

A heads up before we begin: in case you’re unfamiliar with the lulz, you should check out the Metaviews glossary entry on the term (made by yours truly).

Through a series of clever hacks, the folks at Lulz Security have captured our collective imagination and stolen some of the spotlight from Anonymous. LulzSec first made headlines in May for hacking Sony Pictures, but they’ve since penetrated systems belonging to PBS, Nintendo, Britain’s National Health Service and an FBI affiliate site known as Infragard.

Declaring themselves to be “pirate ninjas”, LulzSec’s hacks often seem more like amusing pranks than serious security breaches. They issue hilarious press releases via twitter or Pastebin, deface websites with internet memes and, in the case of the PBS hack, they spread a false news story claiming deceased rappers Tupac and Notorious B.I.G. were alive and well in New Zealand. Given such a tone, it’s not all that surprising that CBS assumed that LulzSec was behind the recent “Hashbrown Hoax” hack on the Conservative Party of Canada website (in reality, a hacker calling themselves @LulzRaft claimed responsibility, but they seem to be at least inspired by LulzSec).

I know this may seem a little tardy, but I thought it would be nice to collect a few of the most interesting musings on Google, in case you have somehow missed the biggest non-Apple news of 2010. This has already been a big year for Google, between the announcement that it was leaving China, the launch of the Nexus One, Google Buzz, and their energy and broadband initiatives. Without further ado...

Brad Stone writes for the New York Times about a study on attitudes towards privacy and the inconsistencies of human behaviour:

"Our privacy principles are wobbly. We are more or less likely to open up depending on who is asking, how they ask and in what context."