« | Home | Recent Comments | Categories | »

Aral Balkan: Beyond The Camera Panopticon

Posted on May 12th, 2015 at 18:17 by John Sinteur in category: Privacy


Write a comment

The Truth About Smartphone Apps That Secretly Connect to User Tracking and Ad Sites

Posted on May 3rd, 2015 at 19:12 by John Sinteur in category: Google, Privacy

[Quote:]

Vigneri and co began by downloading over 2,000 free apps from all 25 categories on the Google Play store. They then launched each app on a Samsung Galaxy SIII running Android version 4.1.2 that was set up to channel all traffic through the team’s server. This recorded all the urls that each app attempted to contact. Next they compared the urls against a list of known ad-related sites from a database called EasyList and a database of user tracking sites called EasyPrivacy, both compiled for the open source AdBlock Plus project. Finally, they counted the number of matches on each list for every appThe results make for interesting reading. In total, the apps connect to a mind-boggling 250,000 different urls across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific.Vigneri and co give as an example “Music Volume Eq,” an app designed to control volume, a task that does not require a connection to any external urls. And yet the app makes many connections. “We find the app Music Volume EQ connects to almost 2,000 distinct URLs,” they say.And it is not alone in its excesses. The team say about 10 percent of the apps they tested connect to more than 500 different urls. And nine out of 10 of the most frequently contact ad-related domains are run by Google.

 


Write a comment

Comments:

  1. The free market at work…

  2. I guess if you set your volume too high you will see hearing aid ads. If you turn it up to 11 you’ll get ads for metal concerts.

  3. Oudated information. The Android version 4.1.2 still runs on only 15% of the devices now. In later versions of Android it is possible to set exactly what information an App can get access to (Privacy Protection setting).
    Nice to know although what happened in those previous versions.

  4. And these things are so simple and clear to every user they will happily click yes when installing that calculator app that asks for access to everything in your phone.

    So are you going to curate everything installed in your mothers phone for her with these Privacy Protection setting, or do you tell her to go to a curated environment where a calculator app that wants access to your location doesn’t even make it into the app store?

  5. @John – Curated environment – does this exist? If not, want to set one up?

Irate Congressman gives cops easy rule: “just follow the damn Constitution”

Posted on May 1st, 2015 at 10:41 by John Sinteur in category: Privacy, Security

[Quote:]

It’s a fundamental misunderstanding of the problem. Why do you think Apple and Google are doing this? It’s because the public is demanding it. People like me: privacy advocates. A public does not want an out-of-control surveillance state. It is the public that is asking for this. Apple and Google didn’t do this because they thought they would make less money. This is a private sector response to government overreach.

Then you make another statement that somehow these companies are not credible because they collect private data. Here’s the difference: Apple and Google don’t have coercive power. District attorneys do, the FBI does, the NSA does, and to me it’s very simple to draw a privacy balance when it comes to law enforcement and privacy: just follow the damn Constitution.

And because the NSA didn’t do that and other law enforcement agencies didn’t do that, you’re seeing a vast public reaction to this. Because the NSA, your colleagues, have essentially violated the Fourth Amendment rights of every American citizen for years by seizing all of our phone records, by collecting our Internet traffic, that is now spilling over to other aspects of law enforcement. And if you want to get this fixed, I suggest you write to NSA: the FBI should tell the NSA, stop violating our rights. And then maybe you might have much more of the public on the side of supporting what law enforcement is asking for.

Then let me just conclude by saying I do agree with law enforcement that we live in a dangerous world. And that’s why our founders put in the Constitution of the United States—that’s why they put in the Fourth Amendment. Because they understand that an Orwellian overreaching federal government is one of the most dangerous things that this world can have. I yield back.

Rep. Ted Lieu (D-CA)


Write a comment

Comments:

  1. When the trade towers were hit, the anger and fear that were generated translated into the Afghan war, which was justifiable, and the Iraq war, justified by lies that a fearful public swallowed. And the Patriot Act, which a fearful public swallowed. So, people may not have been thinking that what they were asking for was a surveillance state, but at that point they didn’t care. It was “save us, daddy”. I don’t know how much that has changed, but we got what we asked for. We. We The Shameful People.

  2. @John Dominingue: It gives me hope that you say that. Things can be changed. “There is a tide in the affairs of men…etc.”

JavaScript CPU cache snooper tells crooks EVERYTHING you do online

Posted on April 21st, 2015 at 11:52 by John Sinteur in category: Privacy, Security

[Quote]:

Four Columbia University boffins reckon they can spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC’s processor caches.

The exploit is apparently effective against machines running a late-model Intel CPU, such as a Core i7, and a HTML5-happy browser – so perhaps about 80 percent of desktop machines.

Yossef Oren, Vasileios Kemerlis, Simha Sethumadhavan, and Angelos Keromytis came up with this side-channel attack, which can be performed by JavaScript served from a malicious web ad network. It works by studying the time it takes to access data stored in the last-level cache – the L3 cache shared by all cores in a PC – and matches it to user activity.

The research has prompted Google, Microsoft, Mozilla, and Apple to upgrade their browsers to smother the attack vector. Nothing has yet been released.

“In the meantime the best suggestion I have for end-users is: close all non-essential browser tabs when you’re doing something sensitive on your computer,” he says.


Write a comment

Apple and the Self-Surveillance State

Posted on April 11th, 2015 at 14:56 by John Sinteur in category: Apple, Privacy

[Quote]:

Like lots of people, I’m paying attention to the Apple Watch buzz, and doing some of my own speculation. Needless to say, I have no special expertise here. But what the heck; I might as well put my own thoughts out there.

So, here’s my pathetic version of a grand insight: wearables like the Apple watch actually serve a very different function — indeed, almost the opposite function — from that served by previous mobile devices. A smartphone is useful mainly because it lets you keep track of things; wearables will be useful mainly because they let things keep track of you.


Write a comment

Facebook says it tracked people who didn’t use Facebook because of ‘a bug’

Posted on April 10th, 2015 at 9:59 by John Sinteur in category: Privacy

[Quote]:

The researchers point out that Facebook’s “social plug-ins” — which other sites frequently use — tracked users who didn’t use the plug-ins, were not logged in to Facebook, and who did not even have a Facebook account. In its response post, Facebook conceded that “a bug” affected “a few” users and would be fixed.

The “bug” is that they got caught.


Write a comment

Comments:

  1. Yeah, as in “We are flaming assholes and a bug caused our condition!”.

  2. Is it a bug that your browser got bugged? It sure bugs me.

Leave Facebook if you don’t want to be spied on, warns EU

Posted on March 27th, 2015 at 21:31 by John Sinteur in category: Privacy, Security

[Quote]:

The European Commission has warned EU citizens that they should close their Facebook accounts if they want to keep information private from US security services, finding that current Safe Harbour legislation does not protect citizen’s data.

The comments were made by EC attorney Bernhard Schima in a case brought by privacy campaigner Maximilian Schrems, looking at whether the data of EU citizens should be considered safe if sent to the US in a post-Snowden revelation landscape.

“You might consider closing your Facebook account, if you have one,” Schima told attorney general Yves Bot in a hearing of the case at the European court of justice in Luxembourg.

When asked directly, the commission could not confirm to the court that the Safe Harbour rules provide adequate protection of EU citizens’ data as it currently stands.

[..]

Schrems maintains that companies operating inside the EU should not be allowed to transfer data to the US under Safe Harbour protections – which state that US data protection rules are adequate if information is passed by companies on a “self-certify” basis – because the US no longer qualifies for such a status.


Write a comment

Comments:

  1. I remember working for $LARGE_COMPANY where it was decided that all access, and all email encryption, email signatures, etc were to be done by personal X509 certificates.

    The Certificate Authority and key generation was done by an US company, and to get a new badge I had to sign something waving all kind of privacy rights specified in the Safe Harbour regulations referenced above.

    I refused on the grounds that I did not want the US government to be able to decrypt all the mail of $LARGE_COMPANY.

    That was unexpected, and their procedures didn’t account for this possibility. I was warned that I might lose access to email or buildings. I told them we’d cross that bridge when we’d get to it, but I left not long after.

RadioShack puts customer personal data up for sale in bankruptcy auction

Posted on March 25th, 2015 at 18:10 by John Sinteur in category: Privacy

[Quote]:

For years, RadioShack made a habit of collecting customers’ contact information at checkout. Now, the bankrupt retailer is putting that data on the auction block.

A list of RadioShack assets for sale includes more than 65 million customer names and physical addresses, and 13 million email addresses. Bloomberg reports that the asset sale may include phone numbers and information on shopping habits as well.

The auction is already over, with Standard General—a hedge fund and RadioShack’s largest shareholder—reportedly emerging as the victor. But a bankruptcy court still has to approve the deal, and RadioShack faces a couple legal challenges in turning over customer data.


Write a comment

Court overturns Dutch data retention law, privacy more important

Posted on March 12th, 2015 at 16:41 by John Sinteur in category: Privacy

[Quote]:

Lawyers, journalists and three small telecoms firms went to court in a bid to get the legislation set aside. They argue that internet firms should not be keeping information about the communications of everyone in the country, whether or not they are suspected of a crime.

Companies have been required to keep the information for a year since 2009. The EU found in 2014 that the mass storage of information is a serious breach of privacy and put its data retention legislation on hold.

This put Dutch telecoms firms in a difficult position. They were required to keep the information under Dutch law even though it was not allowed in European legal terms.

‘Dutch law conflicted with European law and that has now been put right,’ a lawyer for the complainants told broadcaster Nos.


Write a comment

Philip Hammond: time to ‘move on’ from Snowden surveillance revelations

Posted on March 11th, 2015 at 11:40 by John Sinteur in category: Privacy, Security

[Quote]:

Britain needs to draw a line under the debate about mass surveillance by the intelligence agencies sooner rather than later to stop them getting distracted from their work, Philip Hammond, the foreign secretary, said on Tuesday.

The senior Conservative said his party would legislate early in the next parliament to give the security services extra powers and address legitimate public concerns about their oversight.

But he said the debate about privacy sparked by the American whistleblower Edward Snowden, whose revelations about mass surveillance by the agencies were published by the Guardian and others, “cannot be allowed to run on forever”.

Speaking at the Royal United Service Institute (Rusi), Hammond said: “We need to have it, address the issues arising from it and move on sooner rather than later if the agencies are not to become distracted from their task.

“The prime minister, home secretary and I are determined we should draw a line under the debate by legislating early in the next parliament to give our agencies clearly and transparently the powers they need and to ensure our oversight regime keeps pace with technological change and addresses the reasonable concerns of our citizens.”

Debate cannot be allowed to happen when we decide it can’t. Like whether or not we were at war with Eastasia. We were always allies with Eastasia, and we will not tolerate this argument to be dragged on forever.


Write a comment

Comments:

  1. Big Brother is watching YOU! Uncle George must be spinning in his grave, shaking his head, asking “Why are they 20+ years late?”… :sarcasm meter spinning at 110%:

Geotagging One Hundred Million Twitter Accounts with Total Variation Minimization

Posted on March 10th, 2015 at 21:13 by John Sinteur in category: Privacy

[Quote]:

Geographically annotated social media is extremely valuable for modern information retrieval. However, when researchers can only access publicly-visible data, one quickly finds that social media users rarely publish location information. In this work, we provide a method which can geolocate the overwhelming majority of active Twitter users, independent of their location sharing preferences, using only publicly-visible Twitter data.

Our method infers an unknown user’s location by examining their friend’s locations. We frame the geotagging problem as an optimization over a social network with a total variation-based objective and provide a scalable and distributed algorithm for its solution. Furthermore, we show how a robust estimate of the geographic dispersion of each user’s ego network can be used as a per-user accuracy measure which is effective at removing outlying errors.

Leave-many-out evaluation shows that our method is able to infer location for 101,846,236 Twitter users at a median error of 6.38 km, allowing us to geotag over 80\% of public tweets.


Write a comment

Comments:

  1. Yup, I’m still sitting on my couch.

CIA hacked iPhone, iPad and Mac security – Snowden documents reveal extent of privacy invasion

Posted on March 10th, 2015 at 16:47 by John Sinteur in category: Apple, Privacy, Security

[Quote]:

The CIA has spent almost a decade attempting to breach the security of Apple’s iPhone, iPad and Mac computers to allow them secretly plant malware on the devices. Apple announced on Monday, 9 March, that it had sold over 700 million iPhones since the first version was announced in 2007, giving some idea of the scope of the CIA tactics.

Revealed in documents released to The Intercept by Edward Snowden, the CIA’s efforts at undermining Apple’s encryption has been announced at an secret annual gathering known as the “Jamboree” which has been taking place since 2006, a year before the first iPhone was released.


Write a comment

Comments:

  1. Actually interesting bits:

    While the report details the efforts the CIA undertook to crack Apple’s security measures, it or the documents don’t say how successful the efforts were at undermining the security of iPhones, iPads and Macs.

    and

    the CIA also claims to have developed a poisoned version of Xcode, the software development tool used by app developers to create the apps sold through Apple’s hugely successful App Store. It is unclear how the CIA managed to get developers to use the poisoned version of Xcode, but it would have allowed the CIA install backdoors into any apps created using their version.

    and

    The CIA also looked to breach the security of Apple’s desktop platform, claiming they had successfully modified the OS X updater. If this is true it would allow the CIA to intercept the update mechanism on Apple’s Mac laptops and desktops to install a version of the updated Mac OS X with a keylogger installed.

Lindsey Graham: I’ve Never Sent an Email

Posted on March 9th, 2015 at 9:10 by John Sinteur in category: Privacy, Security

[Quote]:

He’s been a U.S. senator for 12 years, and was a Congressman for eight more before that, but South Carolina Republican Lindsey Graham says he has never sent an email.

In a discussion on NBC’s Meet the Press about the controversy surrounding Hillary Clinton’s use of a home-based email server while she was secretary of state, moderate Chuck Todd asked Graham, “Do you have a private e-mail address?”

Graham’s surprising answer: “I don’t email. No, you can have every email I’ve ever sent. I’ve never sent one.”

In a sane world, this would make him ineligible to be on the Privacy, Technology, and Law subcommittee.


Write a comment

Comments:

  1. Au contraire, you can’t get more secure than being not corrected, but it is likely to leave you in the singular position of being unusually ill informed about the casual day to day concerns of e-mail use.

  2. I bet he wonders why there’s such a fuss about luncheon meat.

Obama sharply criticizes China’s plans for new technology rules

Posted on March 4th, 2015 at 10:58 by John Sinteur in category: Privacy, Security

[Quote]:

President Barack Obama on Monday sharply criticized China’s plans for new rules on U.S. tech companies, urging Beijing to change the policy if it wants to do business with the United States and saying he had raised it with President Xi Jinping.

In an interview with Reuters, Obama said he was concerned about Beijing’s plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security “backdoors” in their systems to give Chinese authorities surveillance access.

“This is something that I’ve raised directly with President Xi,” Obama said. “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”

But, of course, if American law enforcement wants the passwords, it’s OK. Here’s Obama last week:

[Quote]:

Obama: … the company says “sorry, we just can’t pull it. It’s so sealed and tight that even though the government has a legitimate request, technologically we cannot do it.”

Swisher: Is what they’re doing wrong?

Obama: No. I think they are properly responding to a market demand. All of us are really concerned about making sure our…

Swisher: So what are you going to do?

Obama: Well, what we’re going to try to do is see if there’s a way for us to narrow this gap. Ultimately, everybody — and certainly this is true for me and my family — we all want to know if we’re using a smartphone for transactions, sending messages, having private conversations, we don’t have a bunch of people compromising that process. There’s no scenario in which we don’t want really strong encryption.

The narrow question is going to be: if there is a proper request for — this isn’t bulk collection, this isn’t fishing expeditions by government — where there’s a situation in which we’re trying to get a specific case of a possible national security threat, is there a way of accessing it? If it turns out there’s not, then we’re really going to have to have a public debate. And, I think some in Silicon Valley would make the argument — which is a fair argument, and I get — that the harms done by having any kind of compromised encryption are far greater than…

Swisher: That’s an argument you used to make, you would have made. Has something changed?

Obama: No, I still make it. It’s just that I’m sympathetic to law enforcement…


Write a comment

Comments:

  1. Hey, if you don’t like it, you can always leave. Here’s a suggestion, make it in the USA. You already have the encryption keys.

EFF unearths evidence of possible Superfish-style attacks in the wild

Posted on February 26th, 2015 at 16:49 by John Sinteur in category: Privacy, Security

[Quote]:

It’s starting to look like Superfish and other software containing the same HTTPS-breaking code library may have posed more than a merely theoretical danger to Internet users. For the first time, researchers have uncovered evidence suggesting the critical weakness may have been exploited against real people visiting real sites, including Gmail, Amazon, eBay, Twitter, and Gpg4Win.org, to name just a few.


Write a comment

Apple CEO Tim Cook Speaking Live at 2015 Goldman Sachs Technology Conference

Posted on February 11th, 2015 at 20:46 by John Sinteur in category: Apple, Privacy

[Quote]:

Following up on the payment space, most of your competitors are collecting personal data. You’re not.

We believe customers have a right to privacy, and the vast majority of customers don’t want people knowing everything about them. When you make a purchase, we make a little bit of money. It’s very simple, very straightforward. You are not our product, that’s our product. There’s no need for us to know what you’re buying, where you’re buying, I don’t want to know any of that. We think customers will rebel on that. Similar with HealthKit…you want control over that. So we think over the arc of time, consumers will go with people they trust with their data. People are unknowingly sharing things with others, and info can be pieced together. Over time people will realize this more and demand privacy.

So with Apple Pay we needed something easier than pulling out a credit card, we knew it needed to be secure as well. We never give the merchant your credit card number. We don’t even have it. We’re making up a proxy for each transaction. Think about it…how secure is a card with your number on the front, and then a security code on the back! So Apple Pay had to be private. We’re facilitating a transaction between you, the merchant, and the bank.


Write a comment

Comments:

  1. From the Dutch newspaper AD today:
    Anonimiseren
    Apple neemt ook op wat mensen zeggen als ze via hun iPhone of iPad gebruikmaken van de dienst Siri. Zij sturen niet direct herkenbare informatie eveneens naar servers op afstand om te vertalen. De telefoongigant anonimiseert de gesprekken door ze te koppelen aan een ander telefoonnummer dan dat van de gebruiker. Apple bewaart de informatie, volgens sommigen tot wel twee jaar, wel om meer te leren over de voorkeuren en patronen van de gebruiker.

  2. Loosely translated: “Using the Siri service, Apple records what people say when they are using their iPhone or iPad. They send information to remote servers to translate. Apple anonymizes the information by linking them to a different phone number than that of the user. Accordingly, Apple stores the information up to two years to learn more about the preferences and patterns of the user.”

    Which begs the question: If they anonymize it, what good is it if the user cannot be identified? Sounds like bullshit.

  3. @Mykolas: It’s the fig leaf if the data get stolen. “We made it hard to read.”

Feds operated yet another secret metadata database until 2013

Posted on January 21st, 2015 at 13:18 by John Sinteur in category: Do you feel safer yet?, Privacy

[Quote]:

In a new court filing, the Department of Justice revealed that it kept a secret database of telephone metadata—with one party in the United States and another abroad—that ended in 2013.

The three-page partially-redacted affidavit from a top Drug Enforcement Agency (DEA) official, which was filed Thursday, explained that the database was authorized under a particular federal drug trafficking statute. The law allows the government to use “administrative subpoenas” to obtain business records and other “tangible things.” The affidavit does not specify which countries records were included, but specifically does mention Iran.

This database program appears to be wholly separate from the National Security Agency’s metadata program revealed by Edward Snowden, but it targets similar materials and is collected by a different agency. The Wall Street Journal, citing anonymous sources, reported Friday that this newly-revealed program began in the 1990s and was shut down in August 2013.

The criminal case involves an Iranian-American man named Shantia Hassanshahi, who is accused of violating the American trade embargo against Iran. His lawyer, Mir Saied Kashani, told Ars that the government has clearly abused its authority.

“They’ve converted this from a war on drugs to a war on privacy,” he said.


Write a comment

When The FISA Court Rejects A Surveillance Request, The FBI Just Issues A National Security Letter Instead

Posted on December 31st, 2014 at 9:49 by John Sinteur in category: Do you feel safer yet?, Privacy, Security

[Quote]:

We considered the Section 215 request for [REDACTED] discussed earlier in this report at pages 33 to 34 to be a noteworthy item. In this case, the FISA Court had twice declined to approve a Section 215 application based on First Amendment Concerns. However, the FBI subsequently issued NSLs for information [REDACTED] even though the statute authorizing the NSLs contained the same First Amendment restriction as Section 215 and the ECs authorizing the NSLs relied on the same facts contained in the Section 215 applicants…


Write a comment

German researchers discover a flaw that could let anyone listen to your cell calls.

Posted on December 19th, 2014 at 15:46 by John Sinteur in category: Do you feel safer yet?, Privacy, Security

[Quote]:

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.


Write a comment

Comments:

  1. SS7 is a published protocol – it’s not really complicated although there’s a lot of it. There is a protocol conversion once mobile calls get into the “real” network, so it’s not a cause for mass panic. The data they’re concerned with is “just” signalling data.

    Presumably if you can make a device spoof a mobile phones’ data interchange to a tower you can find out roughly where any mobile phone is without setting up a call (part of the signalling protocol). And presumably listening in on mobile calls or getting/sending text messages is simple as long as you are in range of the phone or a tower.

    It’s probably of limited surveillance use unless you are able to spoof the law enforcement inter-office intercept protocol, when you can have masses of calls automatically recorded or forwarded wherever; but that’s under local central office control and unlikely.

    As for hacking call forwarding for a double hop, you can’t forward a call to a number that is already forwarded to you, and you couldn’t pick up outbound calls without being in range, so something is not quite right about that explanation.

Congress Just Passed Legislation Ramping Up Mass Surveillance to Super-Steroid Levels

Posted on December 15th, 2014 at 11:44 by John Sinteur in category: Do you feel safer yet?, Privacy

[Quote]:

When I learned that the Intelligence Authorization Act for FY 2015 was being rushed to the floor for a vote—with little debate and only a voice vote expected (i.e., simply declared “passed” with almost nobody in the room)—I asked my legislative staff to quickly review the bill for unusual language. What they discovered is one of the most egregious sections of law I’ve encountered during my time as a representative: It grants the executive branch virtually unlimited access to the communications of every American.


Write a comment

ISPs Removing Their Customers’ Email Encryption

Posted on November 14th, 2014 at 11:13 by John Sinteur in category: Privacy, Security

[Quote]:

Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.


Write a comment

A creepy website is streaming from 73,000 cameras; some in the bedroom

Posted on November 7th, 2014 at 15:46 by John Sinteur in category: Privacy, Security

[Quote]:

A strange looking website is letting anyone in the world stream from more than 73,000 IP cameras whose respective owners have not yet changed their default passwords. Whether or not this website is highlighting an important security problem as they are claiming to do, this appears to be a serious breach of privacy.

Insecam has access to more than 73,000 cameras all around the globe which includes more than 11,000 cameras in the United States, 6500 in Republic of Korea and almost 5000 in China. Even though the website states that it is trying to emphasize on an important security issue, it is clearly profiting from advertisements as well.


Write a comment

Glenn Greenwald and Snowden: ‘Nobody Should Use Facebook’

Posted on November 4th, 2014 at 18:02 by John Sinteur in category: Privacy

[Quote]:

During a Q&A in Canada, Glenn Greenwald was asked why his colleague and NSA whistleblower, Edward Snowden, wasn’t on any of the social media platforms — i.e., Facebook — and Greenwald didn’t mince words.

“He doesn’t use Facebook because he hates Facebook,” he said. “They’re one of the worst violators of privacy in history. Nobody should use Facebook.”


Write a comment

Simple test page for Cellular ISP tracking beacons

Posted on October 28th, 2014 at 9:43 by John Sinteur in category: Privacy

[Quote]:

If there is a value in the Broadcast UID field at the top of this page, your carrier is sending active tracking beacons to every web site you visit.

Note: Viewing this page with Mobile Chrome or Flipboard can mask tracking beacons.

For technical details, see Jonathan Mayer’s post or recent coverage at Wired.

Update: My original motivation for this test page arose after reading several ad industry write-ups on Verizon’s PrecisionID technology and practices, in particular the fact that in most cases, even after opting out of marketing options via Privacy settings, Verizon continues to inject trackers to every HTTP connection made from your device, whether it’s an Access Point, mobile hotspot, tablet or mobile phone.


Write a comment

Comments:

  1. Vodacom in South Africa was adding customers’ IMEI and mobile phone number to the headers of every http request. Yowch.

  2. tested t-mobile here in NL, no headers. Will test telfort in a few days..

  3. Yeah nothing with T-Mo in the US either as far as I saw.

Grooming Students for A Lifetime of Surveillance

Posted on October 14th, 2014 at 19:25 by John Sinteur in category: Privacy

[Quote]:

Since 2011, billions of dollars of venture capital investment have poured into public education through private, for-profit technologies that promise to revolutionize education. Designed for the “21st century” classroom, these tools promise to remedy the many, many societal ills facing public education with artificial intelligence, machine learning, data mining, and other technological advancements.

They are also being used to track and record every move students make in the classroom, grooming students for a lifetime of surveillance and turning education into one of the most data-intensive industries on the face of the earth.


Write a comment

Comments:

  1. Sure, if grading student work had not been invented yet and proposed today then someone would describe it as a nefarious plot to groom students to accept being reduced to a number and aimed to reduce students’ self-confidence.

  2. On the other hand, a MOOC approach to teaching is a great idea, and people could do that from home. Why build schools at all?

  3. Of course all of this would not have happened if they’d stuck with the cardboard computer: https://www.cs.drexel.edu/~bls96/museum/cardiac.html

  4. @pete: That’s wonderful! Thanks.

Spies can access my metadata, so why can’t I? My 15-month legal battle with Telstra

Posted on October 14th, 2014 at 0:13 by John Sinteur in category: Privacy

[Quote]:

After former US National Security Agency contractor Edward Snowden leaked thousands of top-secret documents revealing the extent of spying by the US and other “Five Eyes” agencies, including ones in Australia, I decided it was time to see if I could access what they could on me from my telco.

So I asked Telstra to provide me with all of the metadata it had stored about my mobile phone account, informing them that they had a duty to do this under the Privacy Act’s National Privacy Principles, which gives Australian citizens a right of access to their “personal information” from a company, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.

After about a month of back and forth phone calls chasing up a response, Telstra refused me access, saying I needed a subpoena to access the data. A subpoena is a writ usually issued by a court with authority to compel production of evidence under a penalty for failure.

As I didn’t have the cash to sue Telstra and get a court to issue a writ, I complained to the federal privacy commissioner, claiming Telstra was in breach of the Privacy Act.


Write a comment

Adobe is Spying on Users, Collecting Data on Their eBook Libraries

Posted on October 7th, 2014 at 14:04 by John Sinteur in category: Privacy

[Quote]:

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.

I am not joking; Adobe is not only logging what users are doing, they’re also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything,

But wait, there’s more.

Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.

In. Plain. Text.

And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in calibre and every Epub ebook I happen to have sitting on my hard disk.


Write a comment

Comments:

  1. Adobe stupid? I’ve said that before (their products drove me from the field in tears).

    I can’t really understand why they’d bother unless it is some kind of feature:
    “Here’s a list of all those ebooks you forgot you had…”

  2. I was at first not at all excited about app sandboxing on OS X, but I’m starting to warm up to the idea.

FBI Director Angry At Homebuilders For Putting Up Walls That Hide Any Crimes Therein

Posted on September 27th, 2014 at 9:36 by John Sinteur in category: Boo hoo poor you, Privacy, Security

[Quote]:

On Thursday, FBI boss James Comey displayed not only a weak understanding of privacy and encryption, but also what the phrase “above the law” means, in slamming Apple and Google for making encryption a default:


“I am a huge believer in the rule of law, but I am also a believer that no one in this country is above the law,” Comey told reporters at FBI headquarters in Washington. “What concerns me about this is companies marketing something expressly to allow people to place themselves above the law.”

[….]

“There will come a day — well it comes every day in this business — when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper’s or a terrorist or a criminal’s device. I just want to make sure we have a good conversation in this country before that day comes. I’d hate to have people look at me and say, ‘Well how come you can’t save this kid,’ ‘how come you can’t do this thing.'”

First of all, nothing in what either Apple or Google is doing puts anyone “above the law.” It just says that those companies are better protecting the privacy of their users. There are lots of things that make law enforcement’s job harder that also better protect everyone’s privacy. That includes walls. If only there were no walls, it would be much easier to spot crimes being committed. And I’m sure some crimes happen behind walls that make it difficult for the FBI to track down what happened. But we don’t see James Comey claiming that homebuilders are allowing people to be “above the law” by building houses with walls.


Write a comment

The Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud

Posted on September 3rd, 2014 at 10:18 by John Sinteur in category: Apple, Do you feel safer yet?, Privacy, Security

[Quote]:

As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

[..]

The fact that Apple isn’t complicit in law enforcement’s use of Elcomsoft’s for surveillance doesn’t make the tool any less dangerous, argues Matt Blaze, a computer science professor at the University of Pennsylvania and frequent critic of government spying methods. “What this demonstrates is that even without explicit backdoors, law enforcement has powerful tools that might not always stay inside law enforcement,” he says. “You have to ask if you trust law enforcement. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they’ll use them.”


Write a comment

Apple Issues Media Advisory Related to Celebrity Photo Theft

Posted on September 3rd, 2014 at 0:11 by John Sinteur in category: Apple, Privacy, Security

[Quote]:

Apple issued a media advisory related to recent celebrity photo theft, saying the accounts were compromised by a very targeted attack on users names, password and security questions and was not related to any breach of Apple’s systems, including iCloud.

Over the weekend a number of nude celebrity photos appeared online. Jennifer Lawrence, Kate Upton, Lea Michele, Victoria Justice and Kirsten Dunst all had their photos comprised, among others.

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website athttp://support.apple.com/kb/ht4232.

If you are a celebrity, it’s more likely that people know the name of your first pet, or your mothers maiden name…


Write a comment

Comments:

  1. Right John, it is why I advise people to make up random letters and numbers for those all too frequently used security questions. Also, never use the same answer twice.


« Older Entries