Saturday, January 05, 2008

A Philosophical Security Stance

On the heels of my last post on how to convert FLV format video files from the web to an iPod compatible format, a commenter with the moniker "LNA" made a request I check out a new "Beta" on-line file conversion site.

I started to drop this post in as a comment response to LNA, but it was getting a bit long, and I thought some others might be interested in my personal feelings about on-line format conversion websites.

In addition to websites that can help you acquire the FLV steaming file and save it to your local drive, there are a number of "on-line" format conversion websites. A quick few are:

You Convert it

You Convert it is in a "Beta" release status. Which either means they are trying to be "cool" like Google, or they want to get some load-testing on their servers underway.

You can convert a wide range of document, image, video, compressed, and sound files to other formats.  You can send files (up to 1000 MB) from your system to others or post a link to them for up to seven days. And you can convert units from one format to another.

I looked specifically at the website LNA mentioned (You Convert it) and analyzed its Terms of Service, Privacy Policy, and DMCA Policy.

The TOS/PP are pretty standard fare, with the usual statements that the site may use advertising, web beacons/cookies, and offer "additional content" via third parties that are associated with, but not controlled by You Convert it.

I do find it very curious that the site took the time to craft and post a DMCA Policy and how to submit takedown requests.  If the site is only handling conversions for users and not posting this converted material, why might they need a DMCA takedown policy?  Does this suggest they might be posting converted material in the future?  It's not clear. Maybe it is just CYA.

The supported formats for conversion are very extensive.  That does look appealing.  I don't think there are many sites that have this scope of conversion options.

You are required to provide an email address to use the service.

It might just indeed become a premiere on-line file conversion location on the web.  It does look very Web 2.0.

A Philosophical Security Stance

I'm ambivalent with my feelings on these types of sites, which is why I strongly prefer local pc-based format conversion software I run on my own machine, and not off a remote Web-server not under my own control.

Let me be clear; these feeling from a security stance perspective are a philosophical one against on-line file/format conversion sites in general...and in no way directed to this (or any other such website) in particular I may have linked to. Understand? I'm not slinging mud, I'm evaluating the landscape now.

The Big Question™: How does the end-user know they can trust the site with their original document/file content?

Sure I'm sure everyone on the web is on the up-and-up and all websites are 100% trustworthy (read: sarcasm), but suppose I was interested in hacking or corporate espionage. 

What better way to trawl for inside information or other goodies than by offering up a web-based file conversion service? 

Miss Kimiko's boss has a top-level organizational financial document that has to be distributed to the board-members ASAP.  He is calling her from his home at 2 AM in the morning and emailing the document to her at her home.  She doesn't have "GoToMyPC" or other software. She doesn't even have a corporate pc/laptop at home.  Boss Man needs it done now and her job is on the line.

So Miss Kimiko gets the document but finds that Boss Man used a format that she doesn't have the software to support on her system, nor do the other blokes on the board. It's a two-hour commute into the office (when the subway is running) so she does a quick search and finds a handy on-line file format conversion service.  Hurrah!

She uploads the file, gets the converted format back, sends it to all the board members and goes back to sleep dreaming of her heroic act and hoping for a raise.

Only when she gets in the office, her boxes are packed and an internal security investigation is going on how a top-secret document was able to be obtained and used by nefarious parties outside the organization.

Unbeknownst to poor Miss Kimiko, someone had created a "honey-pot" of sorts at the website she used.  Miss Kimiko uploaded her document to the server, a copy was set aside for later data-mining, and then the re-formatted copy was provided back.

Miss Kimiko was none the wiser.

How can any end-user know they just lost the company's inside information?

They don't and can't; until the cow-pie hits the fan.

Why "Local" remains "Safer" (Generally)

At least with locally installed software-based format conversion software, I can run the application through the A/V wringers, Sandbox it (or run in a virtual session) for inspection, run it behind a firewall to see if it "leaks" information out, and so on.  This way I have much more control over monitoring what happens with the data I am converting; especially from a data security point.

Again, my stance is a philosophical one from a security stance against on-line file/format conversion sites in general...and in no way directed to this one website in particular.

Businesses and corporations should have a clearly defined IT policy regarding use of off-site/web-site file storage and/or file conversion activities.

File formats used internally by the organization should be standardized and ALL employees, vendors, and contractors should be afforded access to the same software used to generate and read them.

Home users probably don't have to apply quite the same degree of diligence, but they DO still need to remain vigilant about what the personal nature of content in documents and files they are submitting to on-line locations for conversion.  It's one thing for pooch Spot's chasing the cat up the Christmas tree video to get "appropriated."  It's an entirely different thing for that PDF of your tax forms you converted on-line to get "pilfered."

In the end, I'm not sure of ANY method to determine what happens to the files submitted during and after the conversion occurs at an on-line website.  You have to "trust" them to be responsible and do the right thing.  Statements and declarations of policy by the service providers regarding data-retention are helpful (when you can find them), but they aren't worth much if you can't independently verify them.

I'm sure at best, most of these sites are designed and ran buy folks who found a niche service on the web, who want to do it very well and in a trustworthy way to their clients, and maybe, they can serve up some Ads for revenue to pay the server and bandwidth bills (with a little extra on the side to go eat burgers on). If they play their cards right, maybe a Big Fish™ like Google or Yahoo will be interested and gobble them up so they can buy a Porsche and retire at twenty-six..

At least with video file "download-helper" websites, you are just funneling the data down to your local pc from the web.  They might track your usage, IP address(es) and what content you are downloading, but you likely aren't releasing many secrets otherwise.

It's the sending-up of data that I would be most concerned about.

I know I am likely being a bit of a nerdy security-minded alarmist...but that's my job and personality.

I'm sure they are all great, just use them with caution...even if they do look rockin-handsome and handy.


No comments: