Security: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 4:

A security vulnerability is any function of a product that allows an unauthorized agent is able to gain some level of control over the product, its information, or the product's environment. Vulnerability severity can range depending on how much access an unauthorized agent is granted. To further understand vulnerabilities it is useful to list some real examples:

#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025</ref> where a malicious user could remotely execute code (known as an ~~[[RCE attack|~~RCE Attack]]) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.

#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025 ([http://web.archive.org/web/20260113232610/https://www.ibm.com/think/topics/log4j Archived])</ref> where a malicious user could remotely execute code (known as an RCE Attack) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.

#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, ~~SSNs~~, etc.

#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025 ([http://web.archive.org/web/20250602100136/https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ Archived])</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, social security numbers (SSN), etc.

Security vulnerabilities primarily show up in software products but they can also exist in real life. Home security often depends upon locks which are themselves physical security implementations that prevent intruders from entering but this does not stop someone from just smashing the window: a physical security vulnerability

==How security relates to consumer rights==

Security is both a blessing and a curse towards control over the things consumers own. Being forced to login to a laptop to use it is a sensible decision, being forced to connect your treadmill to the internet and gain authorization just to run on it (as seen [[Peloton Removes Just Run Feature|here]]) is not. Companies may use security as an excuse to reduce consumer control and so it is important to identify these misuses. If a company takes away consumer rights using security as an excuse consider that "the emperor may not have any clothes" and their security is not as strong as they portray it. {{Citation needed|reason=needs verifiability}}

Security is both a blessing and a curse towards control over the things consumers own. Being forced to login to a laptop to use it is a sensible decision, being forced to connect your treadmill to the internet and gain authorization just to run on it (as seen [[Peloton Removes Just Run Feature|here]]) is not. Companies may use [[Deceptive language frequently used against consumers#"For the safety of the consumer"|security as an excuse]] to reduce consumer control and so it is important to identify these misuses. If a company takes away consumer rights using security as an excuse consider that "the emperor may not have any clothes" and their security is not as strong as they portray it. {{Citation needed|reason=needs verifiability}}

===Poor security principals harm the consumer===

Line 35:

==Further reading==

*[[End-user license agreement]]

*[[Terms of service]]

*[[Right to own]]

*[[Internet of Things]]

==References==

@@ Line 4: / Line 4: @@
 A security vulnerability is any function of a product that allows an unauthorized agent is able to gain some level of control over the product, its information, or the product's environment. Vulnerability severity can range depending on how much access an unauthorized agent is granted. To further understand vulnerabilities it is useful to list some real examples:
-#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025</ref> where a malicious user could remotely execute code (known as an [[RCE attack|RCE Attack]]) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.
+#The apache log4j exploit<ref>[https://www.ibm.com/think/topics/log4j "What is the Log4j vulnerability?"] - ibm.com - accessed 1/22/2025 ([http://web.archive.org/web/20260113232610/https://www.ibm.com/think/topics/log4j Archived])</ref> where a malicious user could remotely execute code (known as an RCE Attack) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.
-#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, SSNs, etc.
+#The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.<ref>[https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ "EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server"] - dailydot.com - accessed 1/22/2025 ([http://web.archive.org/web/20250602100136/https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/ Archived])</ref> Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, social security numbers (SSN), etc.
 Security vulnerabilities primarily show up in software products but they can also exist in real life. Home security often depends upon locks which are themselves physical security implementations that prevent intruders from entering but this does not stop someone from just smashing the window: a physical security vulnerability
 ==How security relates to consumer rights==
-Security is both a blessing and a curse towards control over the things consumers own. Being forced to login to a laptop to use it is a sensible decision, being forced to connect your treadmill to the internet and gain authorization just to run on it (as seen [[Peloton Removes Just Run Feature|here]]) is not. Companies may use security as an excuse to reduce consumer control and so it is important to identify these misuses. If a company takes away consumer rights using security as an excuse consider that "the emperor may not have any clothes" and their security is not as strong as they portray it. {{Citation needed|reason=needs verifiability}}
+Security is both a blessing and a curse towards control over the things consumers own. Being forced to login to a laptop to use it is a sensible decision, being forced to connect your treadmill to the internet and gain authorization just to run on it (as seen [[Peloton Removes Just Run Feature|here]]) is not. Companies may use [[Deceptive language frequently used against consumers#"For the safety of the consumer"|security as an excuse]] to reduce consumer control and so it is important to identify these misuses. If a company takes away consumer rights using security as an excuse consider that "the emperor may not have any clothes" and their security is not as strong as they portray it. {{Citation needed|reason=needs verifiability}}
 ===Poor security principals harm the consumer===
@@ Line 35: / Line 35: @@
 ==Further reading==
+*[[End-user license agreement]]
+*[[Terms of service]]
+*[[Right to own]]
+*[[Internet of Things]]
 ==References==