Security: Difference between revisions

(2 intermediate revisions by the same user not shown)

Line 4:

A security vulnerability is any function of a product that allows an unauthorized agent is able to gain some level of control over the product, its information, or the product's environment. Vulnerability severity can range depending on how much access an unauthorized agent is granted. To further understand vulnerabilities it is useful to list some real examples:

#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025</ref> where a malicious user could remotely execute code (known as an ~~[[RCE attack|~~RCE Attack]]) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.

#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025</ref> where a malicious user could remotely execute code (known as an RCE Attack) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.

#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, ~~SSNs~~, etc.

#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, social security numbers (SSN), etc.

Security vulnerabilities primarily show up in software products but they can also exist in real life. Home security often depends upon locks which are themselves physical security implementations that prevent intruders from entering but this does not stop someone from just smashing the window: a physical security vulnerability

Line 16:

====Security through obscurity====

[[Security through obscurity|Obscuring]], or hiding, a product's information increases the time a person or organization would need to take to fully understand how a product works. While this will delay the discovery of security vulnerabilities{{Citation needed|reason=needs verifiability}} it can never stop them{{Citation needed|reason=Who?}}, in addition obscuring product information prevents maintenance of products by the consumer, violating their [[Right to Repair|right to repair]]. {{Citation needed|reason=needs verifiability}}

Obscuring, or hiding, a product's information increases the time a person or organization would need to take to fully understand how a product works. While this will delay the discovery of security vulnerabilities{{Citation needed|reason=needs verifiability}} it can never stop them{{Citation needed|reason=Who?}}, in addition obscuring product information prevents maintenance of products by the consumer, violating their [[Right to Repair|right to repair]]. {{Citation needed|reason=needs verifiability}}

====Security through authorization====

Authorization is the process of confirming that a user is who they say they are. Authorization processes are extremely important to the functioning of the internet but risk becoming a security vulnerability and threat to consumer rights if used improperly. Authorization features can be used by companies to lock out features when the user's subscription expires, in this case the purpose of authorization is lost because the user need not confirm who they are, just that they have a valid subscription. These sorts of lock-outs are significant in that the product's physical features still work but the company is intentionally preventing the user from accessing them because their internet-based subscription has ended.

Line 29:

Line 33:

#Avoid using physical products that need a subscription to use. For example, a normal treadmill won't brick itself if the company goes out of business, or decides to [[Peloton Removes Just Run Feature|eliminate a subscription free feature]] in the name of safety or security.

#Avoid using closed-source products if equivalent open-source products exist. Open source products are not necessarily more secure, but they are far less likely to violate a consumer's rights simply because the consumer has the ability to change the product as they wish.

==Further reading==

* [[End-user license agreement]]

* [[Terms of service]]

* [[Right to own]]

* [[Internet of Things]]

==References==

[[Category:Common terms]]

[[Category:Articles in need of additional work]]

@@ Line 4: / Line 4: @@
 A security vulnerability is any function of a product that allows an unauthorized agent is able to gain some level of control over the product, its information, or the product's environment. Vulnerability severity can range depending on how much access an unauthorized agent is granted. To further understand vulnerabilities it is useful to list some real examples:
-#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025</ref> where a malicious user could remotely execute code (known as an [[RCE attack|RCE Attack]]) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.
+#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025</ref> where a malicious user could remotely execute code (known as an RCE Attack) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.
-#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, SSNs, etc.
+#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, social security numbers (SSN), etc.
 Security vulnerabilities primarily show up in software products but they can also exist in real life. Home security often depends upon locks which are themselves physical security implementations that prevent intruders from entering but this does not stop someone from just smashing the window: a physical security vulnerability
@@ Line 16: / Line 16: @@
 ====Security through obscurity====
-[[Security through obscurity|Obscuring]], or hiding, a product's information increases the time a person or organization would need to take to fully understand how a product works. While this will delay the discovery of security vulnerabilities{{Citation needed|reason=needs verifiability}} it can never stop them{{Citation needed|reason=Who?}}, in addition obscuring product information prevents maintenance of products by the consumer, violating their [[Right to Repair|right to repair]]. {{Citation needed|reason=needs verifiability}}
+ {{main|Security through obscurity}}
+Obscuring, or hiding, a product's information increases the time a person or organization would need to take to fully understand how a product works. While this will delay the discovery of security vulnerabilities{{Citation needed|reason=needs verifiability}} it can never stop them{{Citation needed|reason=Who?}}, in addition obscuring product information prevents maintenance of products by the consumer, violating their [[Right to Repair|right to repair]]. {{Citation needed|reason=needs verifiability}}
 ====Security through authorization====
+{{main|Authorization}}
 Authorization is the process of confirming that a user is who they say they are. Authorization processes are extremely important to the functioning of the internet but risk becoming a security vulnerability and threat to consumer rights if used improperly. Authorization features can be used by companies to lock out features when the user's subscription expires, in this case the purpose of authorization is lost because the user need not confirm who they are, just that they have a valid subscription. These sorts of lock-outs are significant in that the product's physical features still work but the company is intentionally preventing the user from accessing them because their internet-based subscription has ended.
@@ Line 29: / Line 33: @@
 #Avoid using physical products that need a subscription to use. For example, a normal treadmill won't brick itself if the company goes out of business, or decides to [[Peloton Removes Just Run Feature|eliminate a subscription free feature]] in the name of safety or security.
 #Avoid using closed-source products if equivalent open-source products exist. Open source products are not necessarily more secure, but they are far less likely to violate a consumer's rights simply because the consumer has the ability to change the product as they wish.
+==Further reading==
+* [[End-user license agreement]]
+* [[Terms of service]]
+* [[Right to own]]
+* [[Internet of Things]]
 ==References==
 <references />
 [[Category:Common terms]]
 [[Category:Articles in need of additional work]]