Juxtaposition

WorkingForChange-This Modern World: The revised revised story

Posted by at 2:42 PM | Permalink | Comments (0) | TrackBacks (0)

http://www.liveammo.com Security News Blog

legal or not, this sort of spying program probably isn't worth infringing our civil liberties for — because it's very unlikely that the type of information one can glean from it will help us win the war on terrorism.

Interesting mathematical analysis of how effective the NSA domestic call-tracking spy program could possibly be.

Posted by at 2:36 PM | Permalink | Comments (0) | TrackBacks (0)

Time to switch your phone company. AT&T rewrote its privacy policy to basically say that your data is theirs and they will do what they please. Some legal manoevering to allow them to continue to sell those records to the NSA to spy on you. All Cingular customers should now be wary since AT&T will own them once the acquisition is complete.

But I guess, what do you expect when we live in a country that doesn't explicitly grant privacy protections like the EU and where privacy is routinely tromped on by companies and the government for their own ends? And when the US public has been trained that this is okay?

http://www.networkingpipeline.com/showArticle.jhtml?articleID=189600470

The most disturbing revelation was one on June 30, 2006 when it was revealed that the NSA allegedly Sought U.S. Call Records 7 Months Before 9/11 This is a perfect example of the danger of unchecked governmental power and unrestrained trust in governement to not abuse power given them or taken (as in the Bush Administration).

Posted by at 10:28 AM | Permalink | Comments (0) | TrackBacks (0)

Atheist Ethicist

My concern is that the Bush Administration may be spying only on suspected terrorists the way that it invades only countries supporting those who attacked the United States on 9/11. My concern is with the possibility that Bush Administration officials might have an agenda, with an ulterior motive, that would involve invading a country so they rationalize a way of thinking about this country that makes it seem to them to be worthy of attack.

Emphasis added. This is a perfect description of why these programs are so troubling. The whole article, in fact, is a look through a crystal ball of where this country is heading if we allow unfettered power in the hands of the Executive branch.

The American democratic "experiment" needs some adjustment to rebalance power. Congress as watchdog is more like a lapdog. They don't wield their power over the purse strings: they hand out blank checks and don't oversee what we are getting for that money.

Posted by at 9:19 PM | Permalink | Comments (0) | TrackBacks (0)

A gaggle of links about the illegal NSA domestic spying program. More apropos in light of even more spying by the Bush Administration -- this time on international wire transfers

Think Progress: NSA Whistleblower To Expose More Unlawful Activity: ‘People…Are Going To Be Shocked’

Media Matters - Myths and falsehoods on the NSA domestic call-tracking program

Illegal NSA Data Mining Highlights Need for Congressional Oversight CDT legal analysis (Center for Democracy and Technology) of the NSA spying program

And some analysis of how this kind of program is ineffective (My favorite description is that finding a needle in a haystack is not made easier by increasing the size of the haystack)

Daily Kos: The NSA, the Database and YOU

Daily Kos: An Illusion of Privacy and Security

Posted by at 5:18 PM | Permalink | Comments (0) | TrackBacks (0)

Boing Boing: Encrypted VOIP from PGP creator Zimmermann: Zfone

Encrypted VOIP from PGP creator Zimmermann: Zfone

Good reason to switch to VOIP instead of traditional phones to protect yourself from Big Brother Bush.

Posted by at 8:40 PM | Permalink | Comments (0) | TrackBacks (0)

GNU project founder foils UN security

Glad my passport does not expire for many years to come. Perhaps by then passports won't have RFID tags in them any longer. But if they do, I guess this is an easy way to keep myself from being a target for a shoulder-fired missile overseas.

FOUNDER of the GNU project, Richard Stallman, got in trouble at the UN World Summit on the information society in Tunis for putting tin foil around his RF ID.

Posted by at 9:51 PM | Permalink | Comments (0) | TrackBacks (0)

When Legal Strikes—Chaos Theory Meets DRM

Sadly, as management gets more cautious about legal repercussions, lawyers get a voice in decisions in which they not only have no expertise (such as IT), but in customer-facing initiatives, as well.

Sony's aggressive spyware approach to DRM smells to high hell of the kind of good-intentions-turned-cognitive-dirty-bomb so many Legal-inspired projects descend into.

This is an interesting opinion that I think is only potentially applicable to situations where the lawyer in question is representing the company's explicit interest. I haven't seen this happen in general though--particularly where the corporate lawyers are addressing issues that are _not_ in regards to the company interest (e.g. privacy law).

For the most part, I have seen these lawyers define a very low bar for a company to meet. The same tendency for lawyers "tend to wield power disproportionate to their duties" (I would use the word "influence" instead of power) leads to these proclamations to be interpreted to mean that the company should only meet the minimum bar. These lawyers are not in the business of suggesting what the company _should_ do, only a minimum of what it _has_ to do. Laws aren't necessarily sufficient or detailed enough to ensure that they are complied with, however. I have had several situations where lawyers have undone good security work because they proliferated the fact that the law didn't require the proscribed procedures, even though those procedures were in place to uphold that law. Lawyers seem to wield more influence than security folks though so who do you think was listened to?

Posted by at 7:44 PM | Permalink | Comments (0) | TrackBacks (0)

EFF: DocuColor Tracking Dot Decoding Guide

This is a breakthrough. It has been rumoured for years that printers and copy machines include secret codes on documents to track them back to the source machine but the EFF now has real evidence and even tools that you can use to perhaps decode your printer's secret tracking information.

This guide is part of the Machine Identification Code Technology project. It explains how to read the date, time, and printer serial number from forensic tracking codes in a Xerox DocuColor color laser printout. This information is the result of research by Robert Lee, Seth Schoen, Patrick Murphy, Joel Alwen, and Andrew "bunnie" Huang. We acknowledge the assistance of EFF supporters who have contributed sample printouts to give us material to study. We are still looking for help in this research; we are asking the public to submit test sheets or join the printers mailing list to participate in our reverse engineering efforts.

Posted by at 10:33 PM | Permalink | Comments (0) | TrackBacks (0)

FBI Dealt Setback on Cellular Surveillance

Finally some restraint on use of the PATRIOT act powers. Especially in light of recent FOIA documents that EPIC found that show abuses by law enforcement.

The FBI may not track the locations of cell phone users without showing evidence that a crime occurred or is in progress, two federal judges ruled, saying that to do so would violate long-established privacy protections.

Posted by at 9:18 AM | Permalink | Comments (0) | TrackBacks (0)

PrivacyActivism.org - Data Aggregators: A Study of Data Quality and Responsiveness

Results of a study conducted by PrivacyActivism show that data aggregators have significant problems with accuracy and responsiveness, potentially serious issues for an industry already under fire for massive security breaches.

100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it.

To go along with my other post on data aggregator service efficacy, another set of nails in the coffin. Keep in mind that this is anecdotal. However there was at least another study that I can't find a reference for that found something like 80% of entries had errors.

Anyhow, more fuel to the fire from real-life experience with ChoicePoint data was the voter roll purging debacle:

The Department of State awarded a $4-million contract to Boca Raton-based Database Technologies Inc. (now ChoicePoint Inc.) to find improperly registered voters in the state's database. Database Technologies cross-checked voter lists with federal and state databases to find illegal voters by matching names, birth dates and other characteristics.

Mistakes were rampant.

Posted by at 2:41 PM | Permalink | Comments (0) | TrackBacks (0)

The Five Most Shocking Things About the ChoicePoint Debacle - CSO Magazine - May 2005

Maybe it was the fact that this wasn't a hack. Personal information of nearly 145,000 people wasn't stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses--this when the company itself helps other businesses verify cred[entials of employees or others using the data in their databank].

A great point that has been lost in a lot of the reporting. Just how useful is the service they provide when they were spoofed over 50 times by fraudulent users?

These companies always beg the question of which entities are authorized to be their customers to "legitimately" obtain this kind of sensitive data about people? What would stop me from paying to get the data on anyone they had? What criteria would they establish to prevent just anyone from getting at this data? Or, do they not care as long as you have the cash?

ChoicePoint likely would love to keep the focus on how this was just an isolated case where these 50+ users fooled them. But does it even matter that the identities were fraudulent? Would it have been okay if I signed up with my own identity and obtained information on these 145,000 people instead?

Posted by at 9:24 AM | Permalink | Comments (0) | TrackBacks (1)

Schneier on Security: RFID Passport Security

"The solution would require an RFID reader to provide a key or password before it could read data embedded on an RFID passport's chip. It would also encrypt data as it's transmitted from the chip to a reader so that no one could read the data if they intercepted it in transit."

The devil is in the details, but this is a great idea.

I have to agree with some of the posters to Bruce Schneier's blog that this is certainly not a "great idea".

1. This seems to entirely defeat the purpose of "contactless" passport data reading. If you have to scan the passport physically, it would be more secure to forego RFID entirely and put all of the data in a contact-based reader. This would offer greater privacy protection. Of course, it doesn't have the RFID "bling" so would be entirely rejected by technophiles.
2. Again, the devil is in the details, but once someone has read your key, they can now access and decrypt your passport data remotely anytime they want. What keeps those keys secure after they have been accessed? Are there going to be passport "skimming" attacks as with magstripe credit cards?
3. Attackers abroad can still use RFID "presence" to detect which tourists are Americans, even if they could not read the data on the passport. Thus RFID would seem to still increase risk to Americans rather than make us safer. Funny how that works with these newfangled "security" measures being imposed by the government.

Here is a related article on the government caving to privacy advocates. Feds Rethinking RFID Passport

Posted by at 9:07 AM | Permalink | Comments (0) | TrackBacks (0)

Wired News: Surveillance Works Both Ways

At this year's Computers, Freedom and Privacy conference in Seattle, Steve Mann enlisted volunteers to film those who were filming them in local Seattle businesses. They got varied responses. I think this would be really useful in airports to monitor what the TSA does. But, I bet they would not be so happy about that.

"The totalitarian regime is the regime that would like to know everything about everyone but reveal nothing about itself"

"What I argue is that if I'm going to be held accountable for my actions that I should be allowed to record ... my actions," Mann said. "Especially if somebody else is keeping a record of my actions."

Posted by at 11:52 AM | Permalink | Comments (0) | TrackBacks (0)

There is an article on ID theft causes that has a great summary of the fundamental factors in ID theft from entities entrusted with your private data They can't steal data you don't have

We have observed that some of the sensitive data that gets stolen fits into one of several categories:

• Data that was never needed
• Data that was needed but should never have been stored
• Data that was originally needed but was kept far beyond its useful life
• Data that should never have been stored in an unencrypted form

At some point, the question "Did you consider not having this data" is going to become a standard part of lawsuits. If you're an IT manager, are you planning for that day?

I had actually included these questions in a decision tree for my corporate privacy strategy. Most people go right to the "encrypt" sensitive data and don't back up and ask these more fundamental "behavioural" questions that actually are often a) more effective at solving/eliminating the problems and b) have less drawbacks than simply "encrypt everything everywhere, but still store it".

I've seen the "encrypt everything everywhere" mantra effectively require "copies of encryption keys everywhere", which gives your corporation a false sense of security. "The data's encrypted", the executives say. However, if you cannot implement secure key management (you have to know that you need to do this, then have the knowledge to design the solution to be effective and manageable, then you have to be able to implement it across diverse groups who don't all understand cryptography...), then you effectively have the keys to decrypt the data right next to each of your excessive, unnecessary encrypted copies of that sensitive data.

Beware the buzzword-compliant solution!

Posted by at 8:50 AM | Permalink | Comments (0) | TrackBacks (0)

Computer theft may expose data on 180,000 patients - Computerworld

APRIL 08, 2005 (COMPUTERWORLD) - A San Jose-based medical practice has notified about 180,000 current and former patients about the theft of their personal information contained on two computers stolen from its offices during a burglary March 28.

And recall the other recent privacy breach due to a lost laptop:

Stolen UC Berkeley laptop exposes personal data of nearly 100,000

By MICHAEL LIEDTKE, AP Business Writer Tuesday, March 29, 2005

A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

Now, some have pointed out that the California law SB 1386 that required these organizations to disclose their privacy breaches has the unintended consequence of notifying the thieves of these laptops that there may be information on those laptops that would be worth far more than the laptops themselves--something that is probably not the primary goal of most laptop thieves. However, I actually think that with these two cases that the organizations erred in disclosing too much information about the details of the breach.

Nothing that I read into SB 1386 says that you have to say exactly HOW the breach happened. The requirement in the law is simply that you have to "notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.", where "'breach of the security of the system' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

So, the law requires that you notify the affected parties that

a) there was a breach, or
b) you have reason to believe that the affected party's personal information was disclosed

IANAL, but do yourself a favor and be sparing with the details of your next breach.

Posted by at 3:34 PM | Permalink | Comments (0) | TrackBacks (0)

If you are interested in research into the field of anonymity, check this site out.

The "goal is to set up something we can point at for people new to the field [anonymity] (and most of us are still new to the field, it seems), so they know which papers to look at to get up to speed. The ones I particularly recommend have boxes around them."

Anonymity Bibliography

Posted by at 8:38 AM | Permalink | TrackBacks (0)

ABCNews is reporting that several police agencies are under fire for domestic spying. Those of you who think that the government can have all the power it thinks it wants without checks and balances should take heed that this certainly breeds abuses. Read this article. See the trend toward more domestic spying. Be afraid.

I hope that Seattle maintains their current ban on this practice.

ABCNEWS.com : Is Police Spying Back in Fashion?

Posted by at 4:59 PM | Permalink | TrackBacks (0)

tecChannel reverse-engineered Windows Update to find that it can spy on other installed applications. It is unclear whether it actually does spy though. Although an article at The Inquirer claims as much.

They are offering a utility that you can run yourself to spy on the spyware. You have to pay 1.99 Euro for the full article and get the software included. A summary can be found for free though at The Inquirer.

"The information can pass on to Microsoft a list of all of the software installed on an individual's computer, including software manufactured by other manufacturers."

There is a slashdot story as well.

An article update shows a dump of what a hardware configuration looks like being sent to Microsoft.

Posted by at 10:38 PM | Permalink

"Big Brother is watching you - and documenting
eBay, ever anxious to up profits, bends over backward to provide data to law enforcement officials"

Buyer (and seller) beware...

Ha'aretz - Article

Posted by at 10:32 AM | Permalink

Declan McCullagh asks a good question on the cryptography list:

When encryption is omnipresent in everything from wireless networks to hard drives to SSH clients, might the basic effect of such a law [Patriot 2] be to boost potential maximum prison terms by five years?

It is a terrible idea to presume that using encryption is an aggravating circumstance. "Why are you using encryption? You must have something to hide..."

Original SAFE Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d105:h.r.00695:
Leaked new Patriot Act 2 draft: http://www.privacy.org/patriot2draft.pdf

Posted by at 11:23 PM | Permalink