Tag

privacy

Browsing

This is a must read on why Signal is the clear secure messaging choice over WhatsApp:

In short, if a government demands that Open Whisper Systems hand over the content or metadata of a Signal message or a user’s contact list, it has nothing to hand over. And that government will have just as little luck requesting backups of Signal messages from Google or Apple.

From a user privacy perspective, Signal is the clear winner, but it’s not without its downsides.

Compared to WhatsApp’s 1 billion users, Signal’s user base is minuscule. Marlinspike said that they don’t publish statistics about how many users they have, but Android’s Google Play store reports that Signal has been downloaded between 1 and 5 million times. The iPhone App Store does not publish this data.

Too bad almost nobody uses Signal. Convincing people to switch their text-messaging app is almost like trying to get people to convert religions.

From the business-as-usual department comes this news that government, as quietly as possible, is renewing its assault on your privacy:

A report from the nonpartisan Government Accountability Office harshly criticized the FBI last week for its little discussed but frequently used facial recognition database and called on the bureau to implement myriad privacy and safety protections. It turns out the database has far more photos than anyone thought – 411.9m to be exact – and the vast majority are not mugshots of criminals, but driver’s license photos from over a dozen states and passport photos of millions of completely innocent people. The feds searched it over 36,000 times from 2011 to 2015 (no court order needed) while also apparently having no idea how accurate it is.

Worse, the FBI wants its hundreds of millions of facial recognition photos – along with its entire biometric database that includes fingerprints and DNA profiles – to be exempt from important Privacy Act protections. As the Intercept reported two weeks ago: “Specifically, the FBI’s proposal would exempt the database from the provisions in the Privacy Act that require federal agencies to share with individuals the information they collect about them and that give people the legal right to determine the accuracy and fairness of how their personal information is collected and used.”

Welcome to the Federal Bureau of Investigation, where anything can be done, regardless of the implications on American free society, American values, and personal privacy. Because, terrorism.

Mobile advertising firm InMobi has been fined $950,000 by the FTC for secretly collecting users locations:

A mobile advertising company that tracked the locations of hundreds of millions of consumers without consent has agreed to pay $950,000 in civil penalties and implement a privacy program to settle charges that it violated federal law.

The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users’ ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn’t given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users.

Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a “geocorder” database to infer the phone user’s latitude and longitude, even when an end user hadn’t provided permission for location to be tracked through the phone’s dedicated location feature.

This is one of the strong reasons for advocating the use of ad blocking technology. Advertising firms are mostly scummy and will do whatever they can to collect data and metrics, often-times at the expense of security and privacy.

In a move surprising nobody, Russia demands backdoor to spy on instant messaging app users:

The bill is being pushed by Russian Senator Elena Mizulina, who said she is deeply concerned about closed chatrooms on messaging apps because as teenagers are being “brainwashed” by extremists into murdering police officers, according to Current Time, a TV station for Russian-speaking audiences in countries bordering Russia.

The bill also states that citizens will be fined between 3,000-5,000 rubles if they don’t comply with decrypting electronic communications, while officials who stand in the way can potentially be fined 30,000-50,000 rubles.

Mizulina is also behind the controversial law banning “homosexual propaganda” from 2013 and has also called for messaging platforms to be “pre-filtered” in the past in order to cut down and prevent conversations about suicide, but this was deemed to be infeasible to deploy as a solution thanks to the way encryption works.

Sounds like Russia is facing the same kinds of problems with idiotic politicians the rest of the world continues to deal with on a daily basis.

According to Motherboard, the Tor Project is working with security researchers to protect user from FBI hacking:

But according to a new paper, security researchers are now working closely with the Tor Project to create a “hardened” version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement.

Specifically, the researchers are currently testing “Selfrando,” a technique made to protect against browser exploits such as the one reportedly used by the FBI.

The new method is meant to counteract what’s known as “code reuse” exploits, where rather than attempting the much harder task of injecting new malicious code, an attacker will exploit a memory leak to reuse code libraries that already exist in the browser—essentially, building malware by rearranging things inside the application’s memory.

To do that, an attacker generally needs to have an idea of where certain functions are located within the application’s memory space. But the current security mechanisms in browsers only randomize the locations of code libraries, not the individual functions. Which is where the Selfrando technique comes in, creating a random address space for internal code that’s much harder to exploit.

Apple goes all in on encryption despite FBI concerns:

As part of the new system, developers building software for Apple’s devices will be able to opt for users’ information to have no encryption, single-key encryption, or multi-key encryption “with per-file keys for file data and a separate key for sensitive metadata” – comparable to leaving a door unlocked, using one key, or using two keys.

In its documentation of APFS, Apple explains that full disk encryption has been available on OS X since version 10.7 Lion. APFS differs in that it encrypts files individually rather than as a one unit, similar to other encryption mechanisms Apple introduced to its iOS platform in 2010. It also encrypts related metadata – the basic summary attached to each file – and will keen data secure even when the device has been physically hacked.

Since its battle with the FBI, Apple has made a number of important changes to increase security and tighten encryption. Apple itself couldn’t decrypt information the agency demanded, but the company did have the keys to access information stored in the shooter’s iCloud account. The company is now reportedly considering a system that wouldn’t allow it to access iCloud data.

This is my hometown and I am stunned Los Angeles leadership believes this to be a viable option for preventing human trafficking (emphasis added):

Councilwoman Martinez feels that prostitution is not a “victimless” crime, and that by discouraging johns, the incidence of the crime can be reduced. Martinez told CBS Los Angeles, “If you aren’t soliciting, you have no reason to worry about finding one of these letters in your mailbox. But if you are, these letters will discourage you from returning. Soliciting for sex in our neighborhoods is not OK.

The Los Angeles City Council voted Wednesday to ask the office of the City Attorney for their help implementing the plan.

Have Ms. Martinez and the Los Angeles City Council taken leave of their senses? This scheme makes, literally, a state issue out of legal travel to arbitrary places deemed by some — but not by a court, and without due process — to be “related” to crime in general, not to any specific crime.

There isn’t “potential” for abuse here, this is a legislated abuse of technology that is already controversial when it’s used by police for the purpose of seeking stolen vehicles, tracking down fugitives and solving specific crimes.

This is just unbelievable and completely unjustified no matter what the Santa Monica Police Department would like everyone to believe:

I said it was only me and, hands still raised, slowly descended the stairs, focused on one officer’s eyes and on his pistol. I had never looked down the barrel of a gun or at the face of a man with a loaded weapon pointed at me. In his eyes, I saw fear and anger. I had no idea what was happening, but I saw how it would end: I would be dead in the stairwell outside my apartment, because something about me — a 5-foot-7, 125-pound black woman — frightened this man with a gun. I sat down, trying to look even less threatening, trying to de-escalate. I again asked what was going on. I confirmed there were no pets or people inside.

I told the officers I didn’t want them in my apartment. I said they had no right to be there. They entered anyway. One pulled me, hands behind my back, out to the street. The neighbors were watching. Only then did I notice the ocean of officers. I counted 16. They still hadn’t told me why they’d come.

It is unfortunate America has become so afraid these days that so many people are willing to sacrifice their humanity in the name of perceived safety.

The United Nations Privacy Chief has publicly stated UK surveillance is “worse than 1984” (emphasis added):

The newly appointed UN special rapporteur on privacy, Joseph Cannataci, has called the UK’s oversight of surveillance “a rather bad joke at its citizens’ expense,” and said that the situation regarding privacy is “worse” than anything George Orwell imagined in his novel 1984. Speaking to The Guardian, Cannataci said: “at least Winston [a character in Orwell’s 1984] was able to go out in the countryside and go under a tree and expect there wouldn’t be any screen, as it was called. Whereas today there are many parts of the English countryside where there are more cameras than George Orwell could ever have imagined. So the situation in some cases is far worse already.”

Cannataci is also concerned about the routine surveillance carried out by Internet companies as a key part of their business model. “They just went out and created a model where people’s data has become the new currency,” he said. “And unfortunately, the vast bulk of people sign their rights away without knowing or thinking too much about it.”

The mandate of the new post of UN special rapporteur on privacy is broad. Cannataci, who is a professor of law at the University of Malta, and uses neither Facebook nor Twitter, is empowered to review government policies on digital surveillance and the collection of personal data, and to identify activities that harm privacy protection without any compelling justification. He can also give his views on how the private sector should be addressing its human rights responsibilities in this field

Not exactly a ringing endorsement for today’s UK privacy climate.

Thanks to the advocacy of many industry and privacy groups, the Obama Administration has finally listened and is rewriting its controversial zero-day export policy (emphasis added):

For two months, security researchers have been fighting a controversial export policy known as the Wassenaar Arrangement — and now it looks like they may have won a crucial battle in that fight. In a closed-door meeting this morning, a Commerce Department representative said the agency’s Wassenaar-inspired export controls were currently being rewritten after the comment period ended last week. The new version will be “quite different,” according to a Commerce official quoted by PoliticoPro, and will be followed by a second round of public comments.

First laid out in May, the Department of Commerce’s new export rules were controversial from the start, with many in the security community saying the rules would make it impossible to develop and deploy benign security tools. Companies also raised concerns that the rules would hamper international bug bounties, which are now a common security practice among software vendors. Commerce held a two-month comment period on the proposed rules, in which time Google, Facebook, and dozens of other companies filed comments critical of the regulations as written. Now that the comment period is closed, it appears Commerce took those criticisms to heart.

The outstanding question is this: how much of the policy will be rewritten to address the many real concerns with the original draft?

It seems the privacy and tech communities are thoroughly against CISA and are now asking President Obama to veto CISA because it is a horrible piece of legislation:

CISA will be of little help in preventing data breaches and information theft from occurring. For one, the real-time sharing of information that CISA calls for would result in an overwhelming amount of information. The Department of Homeland Security would be receiving a huge volume of data, most of which contains no presence of a cyber-threat. Actual threats would be drowned out by false alarms, making it harder to catch an attack.

At the same time experts agree that information sharing is not the way to prevent massive data breaches. The numbers show that good cyber hygiene would prevent most attacks. According to the Verizon Data Breach Investigations Report, 90% of all incidents are caused by human error and 99.9% of attacks exploit vulnerabilities that have been public for over a year. Updating computer systems, securing end points, and raising awareness on cyber safety are all simple steps that would greatly reduce data breaches. The JP Morgan data breach occurred because a server was left unattended. The Home Depot hack exploited a vulnerability that the company had already been made aware of. The OPM breach occurred because the hackers obtained the log-in credentials of an OPM contractor.

Moreover, information sharing already takes place within the private sector. The larger companies share threat indicators, either directly with one another or through the Information Sharing and Analysis Centers that the government has already established. And as the OPM breach demonstrates, the government is not a secure custodian for personal data.

This story of Moxie Marlinspike, the developer responsible for a number of privacy-enhancing applications such as the one recently added to WhatsApp, is quite the fascinating read:

Mr. Marlinspike created an encryption program that scrambles messages until they reach the intended reader. It’s so simple that Facebook Inc.’s WhatsApp made it a standard feature for many of the app’s 800 million users.

The software is effective enough to alarm governments. Earlier this year, shortly after WhatsApp adopted it, British Prime Minister David Cameron called protected-messaging apps a “safe space” for terrorists. The following week, President Barack Obama called them “a problem.”

That makes the lanky, dreadlocked and intensely private coder a central figure in an escalating debate about government and commercial surveillance. In a research paper released Tuesday, 15 prominent technologists cited three programs relying on Mr. Marlinspike’s code as options for shielding communications.

His encrypted texting and calling app, Signal, has come up in White House meetings, says an attendee. Speaking via video link last year as part of a panel on surveillance, former National Security Agency contractor Edward Snowden, who leaked troves of U.S. spying secrets, urged listeners to use “anything” that Mr. Marlinspike releases.

This little gem of a Raspberry Pi-based tool allows anyone to anonymously access wifi from up to 2.5 miles away from a wireless access-oint:

Proxyham is composed of a WiFi-enabled Raspberry Pi computer and three antennas setup. One of the antennas connects to a source public Wi-Fi network while the other two transmit the Wi-Fi signal at a frequency of 900 MHz.

Therefore, this appliance works very effectively with a radio connection of 900 Megahertz. It is capable of connecting distanced Wi-Fi, at a range of 1 to 2.5 Miles. Though several interference factors are considered.

In case some spying agents manage to track the target’s internet connection they will only be able to disclose the IP address of ProxyHam box which would be transmitting some low-level radio signal thousands of feet away at different direction.

Caudill disclosed that he along with some of his colleagues are working over a Motherboard with an additional feature of self-destructing the ProxyHam

So basically, you can be 2.5 miles away from your BFF’s house and still use their wifi without their knowledge. Imagine the impact this will have on court cases relying solely on IP address information to prosecute online criminal activity.

An obviously clueless Japanese Judge orders Google to delete links to a man’s previous under-age sexual solicitation arrests from the search engine in an attempt to hide his embarrassing past from the world:

In 2012, the man was arrested for paying a girl under the age of 18 for sexual favors. He was charged with violating child prostitution laws and fined 500,000 yen. However, his name and news reports regarding the arrest still come up in Google searches.

Claiming that this was an infringement upon his personal rights, the man petitioned to have the information deleted from the search engine. His lawyer told the court his client had been rehabilitated and that it was difficult to get on with his life as long as his arrest record remains online.

In handing down the ruling, the presiding judge said such relatively minor crimes do not hold any particular significance to the public and therefore continuing to display such information three years after the incident does not have much merit for society at large.

Someone needs to learn how Google and the internets work. Deleting links from Google’s search engine will not make the stories go away nor will it make them more difficult to find. In fact, this ruling will likely shed more light on his asshattery.

As an aside, I find it quite interesting how the presiding judge considers underage sexual solicitation to have been a “relatively minor crime” considering how damaging it likely will be to her for the rest of her life. Unbelievably out of touch.

Welcome to the Streisand Effect.

The Intercept on the scary thought about how XKeyScore is NSA’s Google for the world’s private communication. First, in case you have forgotten what XKeyScore is since it was actually first revealed by The Guardian in July 2013 (emphasis added):

The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.

These servers store “full-take data” at the collection sites — meaning that they captured all of the traffic collected — and, as of 2009, stored content for 3 to 5 days and metadata for 30 to 45 days. NSA documents indicate that tens of billions of records are stored in its database. “It is a fully distributed processing and query system that runs on machines around the world,” an NSA briefing on XKEYSCORE says. “At field sites, XKEYSCORE can run on multiple computers that gives it the ability to scale in both processing power and storage.”

So what types of data, specifically, is XKeyScore capable of collecting? Here is the answer:

XKEYSCORE also collects and processes Internet traffic from Americans, though NSA analysts are taught to avoid querying the system in ways that might result in spying on U.S. data. Experts and privacy activists, however, have long doubted that such exclusions are effective in preventing large amounts of American data from being swept up. One document The Intercept is publishing today suggests that FISA warrants have authorized “full-take” collection of traffic from at least some U.S. web forums.

The system is not limited to collecting web traffic. The 2013 document, “VoIP Configuration and Forwarding Read Me,” details how to forward VoIP data from XKEYSCORE into NUCLEON, NSA’s repository for voice intercepts, facsimile, video and “pre-released transcription.” At the time, it supported more than 8,000 users globally and was made up of 75 servers absorbing 700,000 voice, fax, video and tag files per day.

The reach and potency of XKEYSCORE as a surveillance instrument is astonishing. The Guardian report noted that NSA itself refers to the program as its “widest reaching” system. In February of this year, The Intercept reported that NSA and GCHQ hacked into the internal network of Gemalto, the world’s largest provider of cell phone SIM cards, in order to steal millions of encryption keys used to protect the privacy of cell phone communication. XKEYSCORE played a vital role in the spies’ hacking by providing government hackers access to the email accounts of Gemalto employees.

Numerous key NSA partners, including Canada, New Zealand and the U.K., have access to the mass surveillance databases of XKEYSCORE. In March, the New Zealand Herald, in partnership with The Intercept, revealed that the New Zealand government used XKEYSCORE to spy on candidates for the position of World Trade Organization director general and also members of the Solomon Islands government.

These newly published documents demonstrate that collected communications not only include emails, chats and web-browsing traffic, but also pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.

Yes, your cyber sex video chats with nude girls from all over the globe are captured by the NSA, watched, likely laughed at, and then indefinitely stored on their servers to be used against you at a later date.

This is, by far, the scariest of any of the NSA programs brought to light to-date. The capabilities of this system outlined in the article, and the lack of any technically-oriented security controls, is really what is more terrifying than anything.

That an NSA analyst can jump on XKeyScore and type in any type of search term and be provided with results, regardless of whether the search violated US laws and statutes, is confounding.