Saturday, December 10, 2011

Teacher ridicules 7 year old student on Facebook

Originally published 4/05/11 on

Andre Yoskowitz at reports that a teacher at a school in Chicago faces discipline for making fun of a students hair on Facebook. This was bad enough when I assumed it was a teacher making fun of a middle or high school student. But it wasn't. The student was a 7 year old who asked her mom to do her hair like a picture in a magazine. It looked cute, so mom tied Jolly Rancher candies to her daughters hair. Other teachers complimented the child for her colorful hairstyle, so why should a teacher wanting a picture make a 7 year old suspicious? The teacher posted the picture on her Facebook with some rude comments. Inevitably, someone who knew the parent and was friended with the teacher saw the photo and the comments. The parent complained and the teacher is facing discipline.

In one sense this is such a normal Facebook occurrence it's not even worth mentioning. But this has a few unusual - and to me troubling - elements. There's been a lot of talk about cyber-bullying lately. Most cases have been between children, usually of similar age. This is a case of an adult, a teacher, making fun of a 7 year old. A teacher should know better. Of course, this isn't the first time teachers have been burned by their Facebook postings. Another teacher damaged her career last week - a first grade teacher who allegedly referred to her students as "future criminals" and said she felt like a warden.

The problem with Facebook isn't that teachers speak their minds - although speaking without filters is almost always a problem - but that they think they're speaking in a walled garden where they control who sees it. Facebook does nothing to correct this error, talking about concern for users privacy even as new privacy settings make it harder to keep things private on Facebook.

Edit: Changed title to better reflect story

Kroger, Chase suffer data breach

Originally published 4/04/11 on

Emily Fox of reports that Epsilon, a marketing firm based in Irving, TX, suffered a data breach including email addresses of customers of Kroger and JP Morgan Chase. Supposedly that is all that was stolen, but Chase is investigating further.

If you are a customer of either company you can learn more by going to their respective websites at: and

Are you a better codebreaker than the FBI's best?

Originally published 4/01/11 on

Did you read "Encyclopedia Brown" growing up? One of the stories involved Encyclopedia learning to decode the product codes on items in the grocery store. That got me interested in cryptography. I'm still interested, but I've learned that I lack the patience required to be a really good cryptographer. But if you've always had a secret yearning to play secret agent and a desire to one up the FBI, I have just the thing. Michael Cooney of the "Layer 8" blog at Networkworld reports that the FBI is seeking help decrypting some notes found on the body of a murdered man in 1999.

This isn't an April Fools joke. The FBI has placed images of the notes here. If you like decoding those cryptograms in the Sunday paper you might give it a shot. The FBI's experts haven't been able to in 12 years, but right now they're hoping a fresh set of eyes and a different way of looking at the problem will work where experts haven't. They are also hoping that someone may be able to show them samples of similar code.

One interesting aspect of this code is that it may have been a code the victim had been using since he was a child. That made me wonder if maybe this isn't a code, but a language that was developed over 30 years or more. Maybe the FBI is looking for the wrong thing.

The FBI story is here.


Edited @ 11:09 to remove comment tags hiding some of the text.

Watch those unsolicited insurance calls

Originally published 3/31/11 on

When I got home from work my wife told me about a phone call she'd received just before I arrived. A foreign man told her he was from the insurance company. I suppose it's obvious he wasn't, or I wouldn't be writing about it. He knew her name. He knew she was in Lubbock, but that was about all he knew. She asked him what insurance company he was from, and he said his company represents all of the online companies. He could tell her what companies he represents, but not who our insurance company is, even though he claimed to represent them. When he asked for her birthday, address and if she'd had any wrecks or tickets she told him if he represented our insurance company he should already have that information. He hung up on her. For amusement I called the number that the caller ID gave when he called. It wasn't an insurance company. I've included a few seconds of it for your amusement and edification. Never trust an unsolicited phone call from 'your' insurance company, mortgage company, bank, whatever. Don't let them push you into proving who you are. They called you. If they don't know who you are hang up, call your real insurance company, bank, whatever, and find out if they need to talk to you. If it was actually them, they'll understand. If they don't, find one that will.

Who knows more about you than Google? Your cell phone provider.

Originally published 3/30/11 on

Malte Spitz, a German politician and privacy activist sued Duetsche Telekom and obtained 6 months of their records on him - including location data. He gives details in his blog, but perhaps the most interesting result of his efforts is the animated map of his movements during that 6 months. If you put it in satellite view, it's even a little creepy.
Mr. Spitz also makes the data available for download to play with if you want. But all of the data isn't there. Even though the telecom company routinely gathered and kept the numbers of the people he communicated with, both phone calls and texts, they did not release that information to him. So the data is incomplete. Part of the information given of the map is the number of calls and texts sent and received each day. With the phone numbers you could probably have identified his best friend, his wife or significant other, etc. The cell phone company had that information, and if he surfed the web on his phone a lot more, just waiting for someone to break in and take it. Or bid high and buy it.
Online many services are paid for with our personal information. I don't agree with that, I don't like it, but I understand it. I believe we should control what happens to our information, and we should know how it is being used by the people we're giving it to, and be able to tell them how they can and can't use it. When it comes to cell phones, cable companies, ISP's and the like, they have no right to any more information than necessary to verify we are who we say we are and determine our bills. We are already paying them for the right to use their services.

Update: The New York Times has an in-depth article on this:  It’s Tracking Your Every Move and You May Not Even Know

Monday, September 26, 2011

Logging out of Facebook is not enough

This is a repost of Nik Cubrilovic's blog of September 25th, 2011


Dave Winer wrote a timely piece this morning about how Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users intervention. It is an extension of Facebook Instant and they call it frictionless sharing. The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see.
The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application, a number of cookies (including your account number) are still sent along to all requests to Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.
Here is what is happening, as viewed by the HTTP headers on requests to First, a normal request to the web interface as a logged in user sends the following cookies:
Note: I have both fudged the values of each cookie and added line wraps for legibility
The request to the logout function will then see this response from the server, which is attempting to unset the following cookies:
_e_fUJO_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;; httponly
c_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;; httponly
fl=1; path=/;; httponly
L=2; path=/;; httponly
locale=en_US; expires=Sun, 02-Oct-2011 07:52:33 GMT; path=/;
lu=ggIZeheqTLbjoZ5Wgg; expires=Tue, 24-Sep-2013 07:52:33 GMT; path=/;; httponly
s=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;; httponly
sct=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;; httponly
W=1316000000; path=/;
xs=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;; httponly
To make it easier to see the cookies being unset, the names are in italics. If you compare the cookies that have been set in a logged in request, and compare them to the cookies that are being unset in the logout request, you will quickly see that there are a number of cookies that are not being deleted, and there are two cookies (locale and lu) that are only being given new expiry dates, and three new cookies (W, fl, L) being set.
Now I make a subsequent request to as a 'logged out' user:

The primary cookies that identify me as a user are still there (act is my account number), even though I am looking at a logged out page. Logged out requests still send nine different cookies, including the most important cookies that identify you as a user

This is not what 'logout' is supposed to mean - Facebook are only altering the state of the cookies instead of removing all of them when a user logs out.
With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook. The only solution to Facebook not knowing who you are is to delete all Facebook cookies.
You can test this for yourself using any browser with developer tools installed. It is all hidden in plain sight.

An Experiment

This brings me back to a story that I have yet to tell. A year ago I was screwing around with multiple Facebook accounts as part of some development work. I created a number of fake Facebook accounts after logging out of my browser. After using the fake accounts for some time, I found that they were suggesting my real account to me as a friend. Somehow Facebook knew that we were all coming from the same browser, even though I had logged out.
There are serious implications if you are using Facebook from a public terminal. If you login on a public terminal and then hit 'logout', you are still leaving behind fingerprints of having been logged in. As far as I can tell, these fingerprints remain (in the form of cookies) until somebody explicitly deletes all the Facebook cookies for that browser. Associating an account ID with a real name is easy - as the same ID is used to identify your profile.
Facebook knows every account that has accessed Facebook from every browser and is using that information to suggest friends to you. The strength of the 'same machine' value in the algorithm that works out friends to suggest may be low, but it still happens. This is also easy to test and verify.
I reported this issue to Facebook in a detailed email and got the bounce around. I emailed somebody I knew at the company and forwarded the request to them. I never got a response. The entire process was so flaky and frustrating that I haven't bothered sending them two XSS holes that I have also found in the past year. They really need to get their shit together on reporting privacy issues, I am sure they take security issues a lot more seriously.

The Rise of Privacy Awareness

10-15 years ago when I first got into the security industry the awareness of security issues amongst users, developers and systems administrators was low. Microsoft Windows and IIS were swiss cheese in terms of security vulnerabilities. You could manually send malformed payloads to IIS 4.0 and have it crash with a stack or heap overflow, which would usually lead to a remote vulnerability.
A decade ago the entire software industry went through a reformation on awareness of security principles in administration and development. Microsoft re-trained all of their developers on buffer overflows, string formatting bugs, off-by-one bugs etc. and audited their entire code base. A number of high-profile security incidents raised awareness, and today vendors have proper security procedures, from reporting new bugs to hotfixes and secure programming principles (this wasn't just a Microsoft issue - but I had the most experience with them).
Privacy today feels like what security did 10-15 years ago - there is an awareness of the issues steadily building and blog posts from prominent technologists is helping to steamroll public consciousness. The risks around privacy today are just as serious as security leaks were then - except that there is an order of magnitude more users online and a lot more private data being shared on the web.
Facebook are front-and-center in the new privacy debate just as Microsoft were with security issues a decade ago. The question is what it will take for Facebook to address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies - not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout'.

Update: Contact with Facebook

To clarify, I first emailed this issue to Facebook on the 14th of November 2010. I also copied the email to their press address to get an official response on it. I never got any response. I sent another email to Facebook, press and copied it to somebody I know at Facebook on the 12th of January 2011. Again, I got no response. I have copies of all the emails, the subject lines were very clear in terms of the importance of this issue.
I have been sitting on this for almost a year now. The renewed discussion about Facebook and privacy this weekend prompted me to write this post.

Update 2: Followup

The reaction to this story has been amazing. I am writing a followup that will analyze both the data that I have collected as well as the response from Facebook (which you can read below in the comments). If you wish to view the raw logs, I have saved them here. Specifically the datr and lu cookies are retained after logout and on subsequent requests, and the a_user cookie, which contains your userid, is only cleared once the session is restarted. Most importantly, connection state is retained through these HTTP connections. There is never a clean break between a logged in session and a logged out session - but I will have more on that in a follow-up post.
Erratum: I refer to the wrong cookie name in the post above. I also say 'all sites' can be tracked, when I meant to say 'all sites that integrate facebook'.

Monday, August 1, 2011

Private browsing really isn't

Originally published 3/29/11 on

Do you use the private browsing feature of your browser? Though they may have different names for it, the major browsers all have some type of private browsing available. All of them do pretty much the same thing. From the description of Private Browsing in Opera:

Private tabs

To browse without leaving any trace of the websites you visit, you can use a private tab. This is especially useful if you are using someone else's computer, or planning a surprise that you want to keep secret. When you close a private tab, the following data related to the tab is deleted:

  • browsing history
  • items in cache
  • cookies
  • logins

It looks really good - but your browser isn't the only thing gathering info about you on the web. The explanation given on Google Chrome's private browsing page is pretty clear:

Browsing in incognito mode only keeps Google Chrome from storing information about the websites you've visited. The websites you visit may still have records of your visit. Any files saved to your computer will still remain on your computer.

For example, if you sign into your Google Account on while in incognito mode, your subsequent web searches are recorded in your Google Web History. In this case, to prevent your searches from being stored in your Google Account, you'll need to pause your Google Web History tracking.

If you're using private browsing it will protect you from people finding out what you're doing online by checking your browser, but it won't protect you from the data and logs kept by the your ISP, the ous servers your data travels through, and of course, the sites you visit. Private browsing isn't really private except on the computer the browser is running on.

Killeen ISD student records found "blowing in the wind"

Originally published 3/28/11 on

Andy Ross of the Killeen Daily Herald reports that Killeen Independent School District documents containing students identifying information, including Social Security numbers, were found "blowing in the wind."

According to a school district spokesperson, the school district doesn't have policies on shredding documents. It hasn't used Social Security numbers to identify students since 2008, so these documents may be older than that. Not that it matters, since about the only way you can change your Social Security number is to go into the Witness Protection program.

The school district does have guidelines regarding personal information on staff and students, but if it doesn't include shredding documents before disposal it doesn't mean much. Dumpster diving is still one of the best ways to get information on individuals or businesses - and apparently these records weren't even in a dumpster.

There are state and federal laws covering the use of student data. I suspect some of them may have been broken here, but whether it was the school or someone they payed to dispose of the records I have no idea.

I wonder what policies and procedures LISD has in place to protect and properly dispose of student records? I hope that LISD's policies are more comprehensive and better enforced that those in Killeen.

Encrypt your Facebook sessions to protect data when it takes the scenic route through China

Originally published 3/25/11 on

CIO Online reports that Facebook traffic coming from AT&T servers was accidentally routed through China and North Korea. This might not be a concern, but unless you're connecting to Facebook using an encrypted connection everything that you do can be monitored by network operators. China is known for spying on it's users, and once your data is on the Chinese network, it's just like any Chinese users data. Any data you look at on Facebook could be monitored and/or saved for later analysis as it goes through China.

But if you encrypt your data, the network operators can't see it. Encrypting your login to Facebook is easy. Just make sure your Facebook bookmark is set to "" and everytime you login your username and password will be encrypted. But once you login Facebook defaults back to an unencrypted connection. Facebook does realize that you may want to have everything you do on Facebook encrypted, and have a setting to allow that. Go to the 'Account' menu,select 'Account Settings' and scroll down to 'Account Security' then click on 'change'. Check the "Browse Facebook on a secure connection (https) whenever possible" box.

It's almost always a good idea to use encryption on the web. It doesn't use much processing overhead and protects your information as it goes from point 'A' to point 'B'. If you use Firefox there's even an add-on called "https everywhere" that will use https to connect to any website that support https.


Facebook + Separation + defriend = Jail Time?

Originally published 3/24/11 on

Ben Muessig at reports on another case of someone shooting themselves in the foot on Facebook. The headline says it all: "Man Charged with Poligamy after defriending his first wife on Facebook."Richard Leon Barton, Jr became estranged from his first wife in prison. They hooked up again on Facebook after he got out.

That's fine, but then Richard defriended his wife. But he didn't have his privacy settings locked down, so she was able to see the pictures he posted of him and his second wife.

Oops. He hadn't divorced wife #1 yet.

Sunday, July 31, 2011

Encrypt your Facebook sessions to protect data when it takes the scenic route through China

Originally published 3/25/11 on


CIO Online reports that Facebook traffic coming from AT&T servers was accidentally routed through China and North Korea. This might not be a concern, but unless you're connecting to Facebook using an encrypted connection everything that you do can be monitored by network operators. China is known for spying on it's users, and once your data is on the Chinese network, it's just like any Chinese users data. Any data you look at on Facebook could be monitored and/or saved for later analysis as it goes through China.

But if you encrypt your data, the network operators can't see it. Encrypting your login to Facebook is easy. Just make sure your Facebook bookmark is set to "" and everytime you login your username and password will be encrypted. But once you login Facebook defaults back to an unencrypted connection. Facebook does realize that you may want to have everything you do on Facebook encrypted, and have a setting to allow that. Go to the 'Account' menu,select 'Account Settings' and scroll down to 'Account Security' then click on 'change'. Check the "Browse Facebook on a secure connection (https) whenever possible" box.

It's almost always a good idea to use encryption on the web. It doesn't use much processing overhead and protects your information as it goes from point 'A' to point 'B'. If you use Firefox there's even an add-on called "https everywhere" that will use https to connect to any website that support https.

Facebook + Separation + defriend = Jail Time?

Originally published 3/24/11 on

Ben Muessig at reports on another case of someone shooting themselves in the foot on Facebook. The headline says it all: "Man Charged with Poligamy after defriending his first wife on Facebook."Richard Leon Barton, Jr became estranged from his first wife in prison. They hooked up again on Facebook after he got out.

That's fine, but then Richard defriended his wife. But he didn't have his privacy settings locked down, so she was able to see the pictures he posted of him and his second wife.

Oops. He hadn't divorced wife #1 yet.

Computer Myths: 5 myths and the truth about them.

Originally published 3/23/11 on

The U.S.-CERT site is an excellent resource for information on computer security. It provides information at two levels, technical and non-technical. One of the articles is a list of common myths and the truth about them. I've provided the link, but here's the list of myths and the truths about them:

What are some common myths, and what is the truth behind them?

  • Myth: Anti-virus software and firewalls are 100% effective.

    Truth: Anti-virus software and firewalls are important elements to protecting your information (see Understanding Anti-Virus Software and Understanding Firewalls for more information). However, neither of these elements are guaranteed to protect you from an attack. Combining these technologies with good security habits is the best way to reduce your risk.

  • Myth: Once software is installed on your computer, you do not have to worry about it anymore.

    Truth: Vendors may release updated versions of software to address problems or fix vulnerabilities (see Understanding Patches for more information). You should install the updates as soon as possible; some software even offers the option to obtain updates automatically. Making sure that you have the latest virus definitions for your anti-virus software is especially important.

  • Myth: There is nothing important on your machine, so you do not need to protect it.

    Truth: Your opinion about what is important may differ from an attacker's opinion. If you have personal or financial data on your computer, attackers may be able to collect it and use it for their own financial gain. Even if you do not store that kind of information on your computer, an attacker who can gain control of your computer may be able to use it in attacks against other people (see Understanding Denial-of-Service Attacks and Understanding Hidden Threats: Rootkits and Botnets for more information).

  • Myth: Attackers only target people with money.

    Truth: Anyone can become a victim of identity theft. Attackers look for the biggest reward for the least amount of effort, so they typically target databases that store information about many people. If your information happens to be in the database, it could be collected and used for malicious purposes. It is important to pay attention to your credit information so that you can minimize any potential damage (see Preventing and Responding to Identity Theft for more information).

  • Myth: When computers slow down, it means that they are old and should be replaced.

    Truth: It is possible that running newer or larger software programs on an older computer could lead to slow performance, but you may just need to replace or upgrade a particular component (memory, operating system, CD or DVD drive, etc.). Another possibility is that there are other processes or programs running in the background. If your computer has suddenly become slower, it may be compromised by malware or spyware, or you may be experiencing a denial-of-service attack (see Recognizing and Avoiding Spyware and Understanding Denial-of-Service Attacks for more information).

I especially like that last one. The newest computer in my house is 4 years old and runs everything from online games (free version of D&D) to streaming HD video. Just because a computer is a few years old doesn't mean it's obsolete. But a suddenly slow computer could be, and probably is, infected with malware. These days if you're running your computer as admin you may not be able to get rid of the malware without wiping the computer. So if you can install software on the account you surf the web with, create a new standard user account and start using it. You can usually remove any malware that gets installed in a normal user account. If it installs into an admin account you'll have to wipe the computer to be sure.

Saturday, July 30, 2011

New technology will measure your reaction to advertising

Originally published 3/22/11 on

I read a lot of science fiction, so I can see all kinds of bad futures for this one. Larry Dignan at ZDNet reports on a new technology: Neuromarketing. Neuomarketing is the creation of Neurofocus, a company that claims to develop advertising based on neuroscience. If you don't know (I didn't), neuroscience is an interdisciplinary science involving several fields including chemistry, computer science, and psychology, to name a few.

Neurofocus has a device called the Mynd that is basically a consumer friendly personal wireless EEG. It monitors your response to advertising - not just what you tell them your response is, but how you really react. Larry covered a few of the highlights of what it does:

I can see advertising folks drooling now. The aim for Mynd is to capture real responses from consumers who would participate in home panels. Mynd would send data to a mobile device that would capture reactions. Among the key details:
* Mynd has dense-array medical grade electroencephalographic (EEG) sensors.
* The device captures brainwave activity across the full cortex and can connect to mobile devices via Bluetooth.
* The sensors are dry so there are no gels to burden consumers.
* Mynd has been in testing and development for three years and will roll out to labs in the U.S., Europe, Asia Pacific, Latin America and the Middle East.
Dr. A. K. Pradeep, CEO of NeuroFocus, said Mynd can enable “neuromarketing” to gain “critical knowledge and insights into how consumers perceive their brands, products, packaging, in-store marketing, and advertising at the deep subconscious level in real time.”

The potential of this device is frightening - but at this point it's not a very big concern. Unless you agree to put on the headset it's not going to affect you. But if real privacy lawss aren't passed soon this may become the next big privacy fight. Even if the technology becomes miniaturized enough to fit in a baseball cap or a hoodie it may not be a big deal, if you have to agree to transmitting your data. But your data can be read without your permission, this will be major privacy issue. If the technology reaches the point it can scan from a distance it could become a big deal. We're already in a fight over who controls our personal data online. You don't get much more personal than your brainwaves.


Tell your Congressman, don't cut Social Security IT upgrade funding

Originally published 3/18/11 on

Anyone who has read my comments on "Lubbock Left" and "Mr. Conservative" knows I am not a huge supporter of Social Security. But just because I don't think it's Uncle Sam's job to take care of me and mine doesn't mean I'm oblivious to the reality of the situation. And that reality is that our Social Security system is residing in a data center that is decades old with a backup system that may or may not work, and will take five days to bring online even if it does.

I read about the problem in the print edition of Information Week for March 14, 2011. But the article by J. Nicholas Hoover is available online. The gist is that the data center is extremely old with inadequate heating and cooling, poor power with inadequate backup power and an unreliable backup of data and processing. The software is badly outdated and not up to the needs of a modern enterprise.

The plans and financing are in place - but the money may dry up:

Most of the funding for the new data center will come from $500 million made available through the American Recovery and Reinvestment Act of 2009. However, the Republican-controlled House of Representatives' revised budget for the rest of fiscal 2011 would cut $120 million of that stimulus funding. If that happens, one of the first things to go could be $100 million in software and system upgrades planned for the new data center.

Millions of people rely on the Social Security system for money to survive. The system is one lightning strike from disaster. Or one mouse shorting a circuit. If the primary system goes down the backup could take 5 days to bring online. In five days people could - probably will - die. I may not think much of Social Security, but the system is in place, and we have to make sure it doesn't fail. For too many people it's their only safety net. Write your congressman not to cut any of the funding for the Social Security data center upgrade.

Cord Blood Registry suffers breach

Originally published 3/17/11 on

Last month reported that Cord Blood Registry (CBR), a company that stores umbilical cord for future use, suffered a data breach in December of 2010:

A CBR computer and data backup tapes were stolen from an employee's locked automobile. The stolen tapes contained customer names, Social Security numbers, driver's licenses and/or credit card numbers. This is the "mother load" of personal identifying information for identity thieves.

This is a pretty serious breach, and a good (sic) example of how not to handle any type of data, but especially sensitive customer data. The thief broke into the car through the window. Never leave your computer in the passenger compartment where it can be seen. Even if you've encrypted the data, which CBR didn't do. It's even more tempting to some thieves than a purse.

Because unencrypted customer data was kept on the seat of a car 300,000 people are at risk for identity theft. If this was the first time this had happened it might be understandable. But there have been several widely publicized breaches involving stolen or lost laptops, including a breach more than 100 times the size of this one at the Department of Veteran Affairs. There is no excuse for a business allowing unencrypted data anywhere, but especially not on laptops or portable media.

Cars are hackable, too.

Originally published 3/16/11 on

Technology review reports that Tadayoshi Kono, Stefan Savage and a team of researchers are able to take control of cars computer systems remotely using smart phones. Well, as remote as a bluetooth signal will allow. It is important to note that the car they used was a mass production 2009 model. That means that it was one of the less computerized cars available. Of course, any car without bluetooth is safe from these attacks.
But in a car with bluethooth, not only was it possible to take control of the car using bluetooth, it was possible through several different attack vectors and with phones that weren't paired to the car. Once they had control they could take complete control of the cars computer systems. That means they could do everything from activating the GPS (how did you think Onstar tells 911 where you are) to disabling the brakes. With total control of the computer they could start or stop the engine, control the air and heat, and control the door locks, to name a few things. No one thinks these attacks are out in the wild, but it's past time for auto manufacturers to start including security in their computing software and hardware.

Researchers identify anonymous emails with 80-90% accuracy - I say not good enough

Originally published 3/14/11 on

At first glimpse it looks like a good thing. Researchers at Concordia University have devised a way to identify the authors of anonymous email. This is a great boon to prosecutors seeking to identify people using anonymous email accounts for illegal activity. Unlike an IP address, which can only be used to determine where an email was authored, this system will identify the author, and will do it with 80-90% accuracy.

Wait a minute. 80-90% accuracy is pretty good in some contexts, but in criminal cases? The reason for the research is sound:

“In the past few years, we’ve seen an alarming increase in the number of cybercrimes involving anonymous emails,” says study co-author Benjamin Fung, a professor of Information Systems Engineering at Concordia University and an expert in data mining – extracting useful, previously unknown knowledge from a large volume of raw data. “These emails can transmit threats or child pornography, facilitate communications between criminals or carry viruses.”

On an emotional level 80-90% seems pretty good, but is that good enough when you may be taking years from a persons life? In some cases, you could be taking their life. The case of Tim Coles is one the most prominent examples, both locally and nationally, of a person convicted on evidence that jurors thought was better than 90% accurate, but turned out to be 100% wrong. Further reading of the press release from Concordia shows that, once criminals become aware of this technique, 80-90% might be optimistic:

“Let’s say the anonymous email contains typos or grammatical mistakes, or is written entirely in lowercase letters,” says Fung. “We use those special characteristics to create a write-print. Using this method, we can even determine with a high degree of accuracy who wrote a given email, and infer the gender, nationality and education level of the author.”

So all I have to do to fool this system is to vary my writing style. Add intentionally misspell words in some emails, be meticulously correct in others. Make grammatical mistakes in some, not in others. Or just always make mistakes when using anonymous email that I don't usually make in my signed email.

Worse, given only 80-90% accuracy, how hard would it be for someone who receives a lot of email from me - or maybe even someone who reads this blog - to frame me using email? When it comes to criminal cases, 80-90% doesn't cut it.

Would you recognize a human-hacker?

Originally published 3/11/11 on

As much as we focus on computer viruses, trojans, vulnerabilities and exploits, they are not the biggest risk to security - online or off. The biggest risk is us. Books have been written about it, from Kevin Mitnick's classic "The Art of Deception: Controlling the Human Element of Security" to Christopher Hadnagy's latest, "Social Engineering: The Art of Human Hacking" the subject has been pretty thoroughly covered. But we don't have to space for that kind of detail, so we're going to look at a more succinct study, the Department of Homeland Security's pamphlet on elicitation, (pdf) the art of using ordinary conversation to coax out the information people want to keep secret. From the pamphlet:

In the espionage trade, elicitation is a technique frequently used by intelligence officers to subtly extract information about you, your work, and your colleagues.

Said another way, elicitation is the art of conversation honed by intelligence services to its finest edge.

Elicitation is nonthreatening, easy to disguise (and hard to prove) and it works. Why does it work? Because it's ordinary conversation, the type of thing we do all the time. Is that attractive person you just met so interested in your job because they want to get to know you, or because they're trying to find out something you know? That telemarketer that struck up a conversation with you yesterday - did you really tell him about your vacation plans next month? Just how did he get you to tell him that?

According to the DHS pamphlet the tools are something we all use to some degree:

Appeals to ego: "You must be really important. Everyone here seems to know you." You may respond with a denial, then talk about why what you do isn't really important.

Mutual interest: The person expresses an interest in something you're interested in and uses that to build a bond and increased trust.

Deliberate lies: "I've heard that..." A deliberate lie told knowing you know the truth. Most people have a strong desire to correct the mistake, and we all like to be part of the "in crowd" with insider knowledge.

Volunteering information: It's a simple trade. They give you something in hopes you will give them something. Sales people do this all the time, usually telling you that the price is about to go up, the offer is about to expire or their almost out and it's going to be weeks before they get more.  If it works, you buy whatever they're selling. For a scam artist, you give them your information, such as credit card numbers, name, address, and maybe even SS#.

Assumed knowledge: Just enough is said to give the impression of knowledge in an area so you'll discuss it.

As I read this list I thought about calls I'd received, both at work and at home, from telemarketers. Almost every one of these tools had been used against me in one form or another.  Then in the WalMart parking lot tonight another one was used on me, the appeal for help:

"Could you spare some change? I'm trying to get some food for me and my wife."

I've had my own answer to this type of appeal for years, "Come with me and I'll buy you some food." He said he was getting his wife, got in the passenger seat of a car a row over, and they left.

The DHS pamphlet is aimed at preventing espionage, but the same techniques are used by malware authors and conmen to build trust and encourage us to give them what they want. One reason these techniques are so effective is that they are the things we all do in the normal course of communicating with others. Try going through a day looking for the things you and the people you interact with do as you communicate. Then see if you can tell who is just making conversation and who is trying to get something from you.



It's easy to lose control of your creation online

Originally published 3/10/11 on

Noam Galai is a photographer who took some pictures of himself back in 2006 and posted them on Flickr. A few months later a friend mentions seeing his face on a t-shirt. He doesn't really believe her, but a couple of months later he's in a store and sees the shirt. The whole story is chronicled in blog post and 10 minute video interview by fstoppers titled "The Stolen Scream." It's a fascinating story, and seeing how far his image has travelled is amazing - and only one user payed him for it.

There are a lot of lessons here. The best may be Noam's reaction to this theft of his IP. He could have watermarked his images (he still doesn't). He could be sending lawyers after all of the companies using his image without permission. He's not - although he does admit that companies using his work without asking does bother him. But he's not bitter. He seems more amused than anything.

Another lesson, one pointed out by Lee, the fstoppers blogger, is that if we're honest, most of us have no right to point fingers at the people using Noams image without even acknowledging it's his. Most of us have downloaded music, or accepted a burned CD from a friend.

The last lesson, the title of this post, is that once you put something online you surrender control of that information to the world at large. So if you don't want the world to see something, don't post it online.

Facebook good and bad

Originally published 2/1/11 on

Facebook has become a centerpiece in many peoples lives, and that focus is showing in the stories generated by it's users. Here are some of the stories from the last few days:

A man in Rochester, NY, was stabbed by his girlfriend because of comments he made on Facebook. Wait, no, she stabbed him because he friended another woman.

Four teens in Naples, Fl are accused of making death threats on Facebook.

A doctor diagnosed a childs leukemia via Facebook.

A man in Columbia, Ill. is indicted for "enticing minors" on Facebook.

Facebook can be a boon or a bane. Be careful what you do there.


Suit opposing "nude scanners" will be heard Thursday

Originally published 3/8/11 on

The Threatlevel blog at reports that the lawsuit filed by the Electronic Privacy Information Center will be heard by the U.S. Court of Appeals. At issue are potential health problems and the effectiveness of the scanners. The scanners were pushed into service over the objections of privacy advocates as well as the questions on their usefulness from other government organizations, such as the Government Accountability Office (GAO).

I hope these scanners are removed from service, but I doubt they will be. Too much money has been spent, and someone would have to take the fall for the security blunder. Even when a terrorist gets past the scanner the TSA won't admit they're ineffective. The agency will say that the terrorists are a wiley bunch who came up with new tactics to circumvent our almost air-tight security. Never mind that the tactics have been used by smugglers to get contraband into and out of countries for centuries.

Suit opposing "nude scanners" will be heard Thursday

The Threatlevel blog at reports that the lawsuit filed by the Electronic Privacy Information Center will be heard by the U.S. Court of Appeals. At issue are potential health problems and the effectiveness of the scanners. The scanners were pushed into service over the objections of privacy advocates as well as the questions on their usefulness from other government organizations, such as the Government Accountability Office (GAO).

I hope these scanners are removed from service, but I doubt they will be. Too much money has been spent, and someone would have to take the fall for the security blunder. Even when a terrorist gets past the scanner the TSA won't admit they're ineffective. The agency will say that the terrorists are a wiley bunch who came up with new tactics to circumvent our almost air-tight security. Never mind that the tactics have been used by smugglers to get contraband into and out of countries for centuries.

Homeland Security sees the light. Or do they?

Originally published 3/7/11 on

Declan Mcullagh of CBS' Tech Talk blog reported that the Department of Homeland Security has extended the deadline for compliance with Real ID, the national ID passed by Congress in 2005, to 2013. Similar reports came from Fox News and CNN. This is good news to anyone who values privacy and recognizes that the Real ID initiative does much to make it easier to track citizens and little to actually stop terrorists.

But I don't know if the reports are true. I receive the press release feed from Homeland Security, and I never saw this release. Declan Mcullagh links to a pdf of the announcement at the Office of the Federal Register site, but the link is dead, and there is no other mention of the site. A search of the DHS website reveals no documents on Real ID mentioning an extension to 2013. 

If the deadline has been extended this is good news - but not really surprising. Several states have flatly refused to comply because of concerns over the initiative. Concerns go beyond privacy. The costs of implementing it are astronomical, the security benefits questionable, and the increase in the governments ability to probe into law abiding citizens lives unbelievable.  It was a bad idea with bad implementation from the start, and it needs to just go away.

Monday, July 25, 2011

Supreme Court: Corporate privacy does not trump Freedom of Information Act

Originally published 3/4/11 on

The Electronic Frontier Foundation (EFF) reports that the Supreme Court denied corporations the same privacy rights as individual citizens when the government is responding to Freedom of Information Act (FOIA) requests. This might seem like a no-brainer, but legally corporations are considered persons, so it was only a matter of time before a FOIA request came into conflict with a corporations 'personal' rights.

AT&T's lawyers argued that as a corporate citizen it was provided the same exemptions as a private citizen. A coalition of groups ranging from the EFF to the National Security Archive filed an Amicus brief explaining why corporations were not, and should not be, considered persons under FOIA. The Court obviously agreed with them. In agreeing with them, the Court picked apart the term "personal privacy," using definitions, precedents, and a little horse sense to overturn the lower courts decision. One of my favorite passages was the last paragraph of page 7 continuing onto page 8:

AT&T’s argument treats the term “personal privacy” assimply the sum of its two words: the privacy of a person.Under that view, the defined meaning of the noun “person,” or the asserted specialized legal meaning, takes on greater significance. But two words together may assume a more particular meaning than those words in isolation. We understand a golden cup to be a cup made of or resembling gold. A golden boy, on the other hand, is one who is charming, lucky, and talented. A golden opportunity is one not to be missed. “Personal” in the phrase “personal privacy” conveys more than just “of a person.” It suggests a type of privacy evocative of human concerns—not the sort usually associated with an entity like, say, AT&T.

The Supreme Court explains that the real meaning of a phrase can be more than the sum of it's parts, and shows that while a corporation may be a citizen on paper, it is not one in fact, and does not deserve the same privacy considerations as a living breathing person. They probably didn't need to go to all that trouble. As they explain, the FOIA already has protections for corporations. 

This was a good decision, and there was even some (perhaps ill advised) humor at the end. The concluding line of the decision said, "We trust that AT&T will not take it personally." While it seems obviously tongue in cheek to me, Lyle Denniston at the SCOTUSblog feels that the sentence contradicts the ruling. I would say he's just being contrary, but law is all about words, their meanings, and the way they're used in a document. That little joke could cause privacy advocates  and Supreme Court justices headaches in the future.

Apple, Trojans, and FUD

Originally published 3/1/11 on

People seem to really enjoy finding any type of malware for Mac OS. In the decade since Apple introduced OS X there have been a handful (barely) of malicious softwares introduced for it, but only one really had the potential to be serious. I wrote about OSX/Koobface.A because it was the first serious malware for OS X - or would have been if it hadn't been broken in porting it and never fixed.

Now we have Blackhole RAT, which is being hailed as a new trojan for MacOS - again, a piece of Malware that has been ported over from Windows.

But wait. What is Blackhole RAT? What does it do? By itself, Blackhole RAT is just another remote administration tool like VNC, Apple's Remote Desktop, or Microsofts Remote Desktop. Sure, it allows someone to take over your computer across a network, but so do a host of other tools. Blackhole RAT isn't, by itself, malware. It has to be installed - probably using a trojan. It's not a trojan itself, it would be the soldier inside the horse. In the computer world, that's usually referred to as the "payload." 

So should you be worried about Blackhole RAT on a Mac? I don't think so. Apple Remote Desktop is as much a concern. Before worrying about remote administration tools (RATs) you need to understand how many ways there are to install them on your system. On a Mac, the answer is, not many.

So why am I writing about a non-issue? Because so many reputable publications are, such as PCWorld and MacWorld. But they are spreading the FUD (Fear, Uncertainty and Doubt) rather than calm, reasoned information. Someone needs to be the voice of reason.

If you are concerned about malware, Sophos offers a free antivirus software for home use. But don't panic, the Mac universe is still relatively safe unless you're exploring the seamier side of the internet. If you're doing that, I hope you're already aware of the risks.

Maryland DoC responds to Facebook login uproar

Originally published 2/28/11 on

Tuesday I told you about the Maryland Dept. of Correction policy of asking applicants for their Facebook username and password. Later that day they issued the following statement:

"During the initial interview, or recertification processes, DPSCS does not require correctional officer applicants to provide any information related to social media. An applicant is asked if they are active users of social media. If so, the Department only asks if an applicant would provide this information. If any information is provided by an applicant, it is done so voluntarily. If an applicant does not provide this information, it is not held against them and the interview process moves forward.

The Department has a legitimate concern about the infiltration of gangs into our prison system. DPSCS' efforts to explore an applicant's behavior on social media networks is not done through a desire to invade personal privacy, rather it is an effort to make sure the safety and security of our staff and inmates inside our correctional institutions is not compromised.

However, in light of these concerns raised by the ACLU and because this is a newly emerging area in the law, the Department has suspended the process of asking for social media information for 45 days to review the procedure and to make sure it is being used consistently and appropriately."

It's good that they have suspended the policy. Hopefully a review will help them realize just how wrong requiring prospective employees to hand over their social media logins is.

TSA proves full body scanners unreliable

Originally published 2/25/11 on

Kyle VanHemert at Gizmodo reports that in what apparently was the TSA testing it's own procedures an undercover agent passed through the vaunted full body scanners with a gun multiple times- without triggering alarms or being stopped.

The full body scanners have been touted as absolutely necessary for the security of our airports and planes. Privacy advocates have been against these scanners from the moment plans to use them were announced. I've blogged about them in the past, including a past mistake the TSA claimed would never happen. These scanners are not the great shield the TSA claims they are. Instead, they are the emperors new clothes. The TSA has just proved it.

If the report is correct. The TSA isn't admitting anything, and no one has been disciplined. That doesn't really tell us anything. If it's true they can't admit it - that would reveal a serious breach in our security. If it's a lie, denying it will only reinforce the idea that they're hiding the truth. I wouldn't want to be John Pistole right now. But I'd hate worse to be him when a terrorist gets through the massive security hole that he is pretending he is a shield.

Microsoft embraces Kinect owners right to mod

Originally published 2/24/11 on

I've talked about Sony's sudden dislike of console modders and their lawsuit against George Hotz. Microsoft has apparently been watching, and sees an opportunity to steal marketshare from the PS3. Nicole Zivalich of G4TV reports that the Redmond giant is releasing a developers kit to make it easier for the fledgling Kinect modding movement to create PC software for the Xbox Kinect. With Sony pushing firmware "upgrades" that remove PS3 owners ability to create software for the PS3 and suing people who try to restore it, Microsofts apparent embracing of end users making their own software for the Kinect is almost certainly an olive branch designed to attract frustrated PS3 modders to the Xbox community.

Sony is using the DMCA to sue people who try to fully utilize hardware they have purchased (not leased or licensed) - an activity they only recently disabled by a firmware update pushed without owners knowledge or consent. Microsoft is embracing the hardware owners right to make full use of the hardware they purchased. I know where my families money is going for our next console purchase.

Google forgets "Do No Evil" slogan?

Originally published 2/23/11 on

A week or so ago I noticed a "Doodle-4-Google" contest asking for artwork from kids. I intended to go back later because I thought my kids might be interested, but got busy and forgot. Then today I see an article by Bob Bowden in the Huffington Post, "Why Has Google Been Collecting Kids' Social Security Numbers Under the Guise of an Art Contest?" It turns out that Google has been asking parents for information that could be used to guess their children's Social Security numbers.

Google has changed the entry form so that it just asks for the childs school and parents address. It originally asked for the childs city of birth and date of birth as well as the last four digits of their SS#. It's not widely known, but if you know the city of birth, date of birth, and last four of the SS# it is possible to guess with very high probability the first five digits of the SS#.

Why was Google asking for this information? It was hardly necessary to ask for any Social Security information for a children's art contest. When a letter was sent to Google asking about the legality of asking for children's SS#'s the entry form was rapidly changed. It's possible that Google simply hadn't thought about the legality of what they were doing, but I don't really believe that. If Google guessed the children's SS#'s and sold them they would make millions. Having a person's SS# gives you unprecedented access to their lives.

Bob noted that the contests privacy policy did nothing to protect privacy, saying:


At least the contest "privacy notice" is clear enough: "participation constitutes consent to the storage, use and disclosure of the Entrant's entry details...." It should really be called the "privacy waiver."


It has since been changed:


Privacy Notice. By participating in this Contest, you agree that Google can collect your personal information, and that if Google cannot collect the required data, you may not be eligible to participate in the Contest. Any personal information collected during the course of the Contest by Google will only be used for administering this Contest and for other purposes as outlined in these Rules, and will be subject to the practices described in the Google Privacy Policy located at You will have the right to access, review, rectify or cancel any personal data held by Google by writing to Google (Attention: Privacy Matters) at the Google address listed in Section 2.


When Google realized what it had done (or that it had been caught) it quickly fixed the problems. But this just underscores the fact that you should never fill out anything online (or anywhere) without reading the fine print and making sure you understand it. Especially if you are doing it for children.

Maryland Department of Correction requires new hires give Facebook login info

Originally published 2/21/11 on

Andrew Hoyle at CNet UK reports that the Maryland Division of Correction is is requiring new hires and recertifying employees to give full access to their Facebook accounts as part of the background checks. A recertifying employee, Robert Collins, is suing the Maryland DOC, saying their policy is intrusive and illegal under the US Stored Communications Act, as well as being against Facebook policies.

When Mr. Collins was being recertified he was told by an interviewer that he had to give his Facebook login information as part of the background check. The interviewer then logged into Collins Facebook account and made him wait while inspecting it.

The article closes with a question. Do you think that anything online should be fair game in background checks, especially if the job is legally sensitive? Or do you believe some things should private, regardless?

I think that demanding the Facebook login and using it to access the account is going too far. I can see the reasoning, but for many people Facebook is like their diary, just with more readers. Can an employer demand your diary?

Saturday, February 19, 2011

How to spot an ATM skimmer

Have you heard about ATM skimmers? Brian Krebs of "Krebs on Security" has written several articles about them, and they've appeared in national news stories a few times this past year. Recently he wrote "Having a ball with ATM skimmers," about a skimmer/camera combo discovered at a bank in Sun Valley, CA.

I don't think we have a problem with skimmers in Lubbock, but they're getting cheaper and are easily available online. So I thought now might be a good time to provide some education on how to spot skimmers. So here is a video from the Commonwealth Bank of Australia:

Criminal Friends on Facebook

I'm sitting here watching TruTV's "Dumbest Criminals 25" and the very first dumb criminals robbed a house with a camera - apparently hidden, but maybe not. It captured them stealing around $11,000 worth of electronics and jewelry. When the owners got home they reviewed the footage and instead of giving it to the cops they put it up on Facebook. One of their Facebook friends ID'ed one of the thieves (he had a great full face shot) - who was another of the victims Facebook friends. How did the criminal know the house would be empty? The victim posted a status update saying they would be gone and when they would be back.

I don't know how well the victims knew the thief. I don't know if they were longtime friends or it was just someone whose friend request they'd accepted. Obviously they didn't know him as well as they thought.

Facebook and Twitter are great for keeping up with friends, letting family know what's going on in your life, and seeing what your favorite celebrities publicist wants you to think the celeb is thinking. But it is not a safe haven. There are loop holes and tricks to see members information even if you're not their friend. So even if all of your friends are people you know and trust, you should avoid posting realtime information about your activities. It's not hard for crooks to figure out you're not home, but why make it easier?

Copyright lawsuits have a hard time in Texas, and rightly so

My original plan for todays blog was to talk about the EFF's Deeplinks blog post, "Don't Mess With Texas: Another Texas Judge Scrutinizes Mass Copyright Litigation." But before I could do that, I saw "6,374 DISMISSED John Doe Defendants cheer as the LFP Internet Group lawsuits go down in flames," on the TorrentLawyer blog.

I'm proud of the Texas judges who are upholding civil liberties. I'm not defending illegal file sharing, but I am defending the right of the accused to due process. The plaintiff's lawyers in these cases try to treat it more like a racketeering case, filing one suit against all of the John Doe defendants. As Corynne McSherry of DeepLinks put it:

In his orders, Judge Furgeson notes an essential feature of mass copyright litigation: unlike the normal case, in which a defendant is notified of early case developments and can intervene to protect his or her interests (such as by opposing a plaintiff's request to send out subpoenas), the Does in these cases are unlikely to have any idea a lawsuit has been filed, much less that the plaintiff is seeking their identity. Appointing an attorney ad litem for limited purposes is one way to address that problem and help ensure that the Does receive the same constitutional protections that must apply to any defendant, in any litigation.

Filing one suit for hundreds, even thousands of John Does allows the plaintiff's attorneys to proceed with the case without paying filing fees for most of the defendants. Most of the defendants also don't have lawyers, so there is little opposition to whatever the plaintiffs lawyers do. One thing Judge Furgeson has done is consider appointing attorneys for the John Does. He also severed each of the John Does from the primary case. noting that the plaintiff has not offered any proof of conpiracy, and just because a group of people are doing the same thing does not mean they are conspiring or working together.

Because the judge severed each of the defendents, if the plaintiff wants to sue them he will have to sue each individually, paying the filing fees for each case. That will get expensive very quickly. They would also have to file in the correct jurisdiction, another problem with the John Doe cases that have been filed recently in movie sharing cases.

The RIAA and MPAA have a right to protect their interests, but they need to realize that this is not 1980. Although they could look back to the late '70's and early '80's and maybe learn a few things. Then it was the VCR that was the doom of the movie industry. A solution was found then, and once the RIAA and MPAA quit panicking one will be found now. Independent musicians and film makers are using the very things causing traditional content providers problems to promote themselves as they've never been able to before. Instead of suing current and potential customers they should be finding ways to turn make use of the new technologies. And in case nobodies noticed, all their encryption and lawsuits haven't even managed to slow down file sharing. Instead of trying to cut heads off the hydra, they should be seeking a way to harness the beast.

House extends shredding of citizens rights. Battle moves to the Senate.

UPDATE: The Senate has passed a 3 month extension of the Patriot Act (the House extension is until Dec. 8th) with a Judiciary Committee hearing on S. 193 expected soon, according to a report by the <a href="" target="blank">Electronic Privacy Information Center</a> (EPIC>.

On Valentines Day members of the House of Representatives showed their love for their constitutents by passing the Patriot Act extension. I talked last week about the reasons to let the Patriot Act expire. The Patriot Act is too open ended and gives the government too much power to spy on people - citizens and non-citizens without verifiable reason. According to the Electronic Frontier Foundation (EFF) the justification for last years extension by claiming a need to study proposed changes. But this years extension was passed without hearing or amendments, or apparently any reason given for not allowing discussion before the vote.

The House has passed the extension, but it still has to get through the Senate. The EFF reports that there are three Patriot Bills that could go to the floor - unless the Senate leadership chooses to put the House bill on the floor for a vote. All of these bills extend the Patriot Act, but only S.193 contains changes to provide oversight and accountability for the governments use of Patriot Act powers. The American Library Association supports S.193, which is a plus. The ALA has been fighting for stronger protections from the Patriot Act almost since it's inception. It also has the support of:

It's time to contact your senator. The senate website is here. There is a pull down menu in the upper right corner to get your senators contact information. If you're in Texas, I'll make it easy for you:

Cornyn, John - (R - TX) 517 HART SENATE OFFICE BUILDING WASHINGTON DC 20510 (202) 224-2934

Hutchison, Kay Bailey - (R - TX) Class I 284 RUSSELL SENATE OFFICE BUILDING WASHINGTON DC 20510 (202) 224-5922

Tell your Senator not to extend the Patriot Act. Or if they feel it must be extended, the bill to back is S.193.

IE9 and Firefox will have "Do not track" features

The upcoming versions of Internet Explorer and Firefox will include "Do Not Track" capabilities, but the way they do it is quite different. IE uses blacklisting, which will work, at least for a while. Firefox is implementing a header that will be sent to sites to tell them you don't want to be tracked. Which will work as long as enough sites agree to support the header.

The Mozilla blog gives a little more information on the "Do not track" header and links to another blog with more technical information on the "Do not track" header.

Ed Bott of gives a very good explanation of how "Do not track" works in IE. It is part of a series of blags on internet tracking.

"Do Not Track" needs to be done. But I am concerned that these measures are being done without regard to the far reaching effects of blocking tracking and ads. Much of the free information on the internet is paid for by gathering information on the people who visit websites. Cutting off that revenue stream cold turkey could completely change the face of the internet, causing sites to go out of business or change business models radically. Privacy and control over information about us is extremely important, but we have to be careful we don't shoot ourselves in the foot trying to fix our problem.

Two privacy bills introduced by Representative Jackie Speier (D-Calif)

The Privacy and Information Security Blog reports that Representative Jackie Speier (D-Calif.) has introduced legislation to protect consumer privacy. The legislation is in the form of two bills, the "Do Not Track Me Online Act of 2011" (HR 654) and the "Financial Information Privacy Act of 2011" (HR 653). They are supported by several consumer and privacy advocate groups.

I have downloaded the bills, and have read all of HR 654. It's interesting. It requires a mechanism for people to opt out of data collection - a clear and straightforward mechanism. It also grants the FTC the right to exempt some practices from this bill. There are examples of what types of practices can be exempted, but this provision has some potential for abuse. It also has some teeth in it, although they seem a little limited, considering the size of some of the companies we're talking about. There are fines not to exceed $11,000/day of non-compliance with a maximum fine of $5,000,000. That's a lot of money, and would bankrupt a lot of companies. Other companies will feel the sting of widespread publication of their violation more than a mere $5,000,000.

This bill is a step in the right direction. Requiring that tracking be opt-in rather than opt-out would be better - if we can figure out a way to do that without destroying the internet as we know it. At this point most people are trained to expect free content. They don't realize that all of those 'free' sites they use are paid for by the information gathered about them and sold or used to target advertising. Kill that revenue stream and most, if not all, free sites would have to either shut down or charge for use. So until we can figure out a how to do that without killing the internet, Jackie Speier's "Do Not Track" bill is a good starting point to bring privacy to the internet.

I haven't read all of HR 653 yet, but I like the requirements for the opt-in form:

  • (e) CONSENT FORM REQUIREMENTS: An express consent form complies with the requirements of this subsection if it meets the following criteria:

  • (1) It is a separate document, not attached to any other document.
  • (2) It is dated and signed by the consumer.
  • (3) It clearly and conspicuously discloses that by signing, the consumer is consenting to the disclosure to nonaffiliated third parties of nonpublic personal information pertaining to the consumer.

  • (4) It clearly and conspicuously discloses:
  • (A) that the consent will remain in effect until revoked by the consumer;

    (B) that the consumer may revoke the consent at any time; and

    (C) the procedure for the consumer to revoke consent.

  • (5) It clearly and conspicuously informs the consumer that:
  • (A) the financial institution will maintain the form or a true and correct copy;

    (B) the consumer is entitled to a copy of the form upon request; and

    (C) the consumer may want to make a copy of the document for the consumer's records;

  • (6) Such other criteria as the Bureau of Consumer Financial Protection may determine appropriate.

HR 653 requires that financial institutions make data disclosure of customers to non-affiliated financial institutions an opt-in activity. Non-affiliated just means an institution that is not controlled by, controlling, or controlled by a common entity. For example, if two banks in Lubbock have different names and different leadership, but both are owned by the same company, they are affiliated. If one owns the other, they are affiliated. If both are independently owned and do not have any leaders in common, they are non-affiliated.

From what I've read, this bill is good news. It requires financial institutions to hold personal information in confidence unless specifically given permission to release it to third parties. Banks are not in danger of going out of business if they can't sell customers data. It is not a core part of their business model. This will be a win for people's right to control their data.

Selling customers information should never have become part of any companies business model, but it happened almost before anyone noticed with the growth of the web. These two bills are a good beginning at correcting that problem. Write your representative and tell him or her to support these bills.

Google offers all users 2 step login

Google announced yesterday that it will be offering free two step logins free to any user that wants it. What Google is calling two step the security industry calls two factor. There are three factors that can be used to identify a person:

  • Something the user knows: Birthday, birthplace, 5th President of the U.S., pass code
  • Something the user has: Key, Swipe card, RFID chip
  • Something the user is: Fingerprint, Retina print, DNA
  • What Google is offering is the option to get a second factor - something you have - to the existing single factor username and password - something you know. When you sign up for the two step authentication you authorize Google to send a passcode to your cell phone. When you enter your username and password a second page will require you to enter the verification code sent to your cell phone by Google.

    This is a good thing. It makes it much more difficult to hack into Google accounts. I checked my account a few times yesterday. There was a notice that two step authentication would be coming to it soon. I'm looking forward to it.

Twitter much more than a social network

Twitter is the surprise contender in the free speech arena. It is also becoming a surprise tool/weapon in the fight over the line intellectual property rights and fair use.

Twitter is becoming a lot more important than anyone would have expected in the case against WikiLeaks. CNET reports that a judge has set a hearing to determine whether the Justice Department has a right to the Twitter accounts and records of several Wikileaks members, including a member of Iceland's parliament. A decision in Twitters favor could hamper Justices case against Wikileaks, but it's unlikley it would scuttle it.

I've been blogging about Sony's war against George Hotz, but today there was an amusing development. David Kravets at Wired reports that a Twitter user sent the PS3 unlock code to Sony's "Kevin Butler" Twitter account. Whoever runs the account wasn't looking and retweeted it to all 75,000 of his followers. Gotta love the irony. Sony probably sent the unlock code to more people than George Hotz ever did.

When the internet was turned off by the government in Egypt people used their cell phones to text updates to Facebook and Twitter. In the past year there Twitter has been a major source of information in several areas of unrest and civil rights abuses in the past year.

A few years ago no one would have thought a "microblog" site would become a major source of information and a major tool for the oppressed to make public their plight.

Tell your representative, "Let the Patriot Act expire"

The new Republican majority in the house outsmarted themselves by pushing the extension of three provisions of the Patriot Act as an emergency vote. That made a 2/3 majority vote necessary to pass the extension. The extension failed to pass today by just 7 votes.

An extension is still possible if a regular vote can be scheduled before February 28th. Hopefully that won't happen. The three expiring provisions are wonderful for a police state, but slow death to a society founded on the ideal that government exists for the governed, not the other way around. They are:

  • the provision allowing court approved roving wiretaps - those are taps that do not have to specify one location or device but can be moved as desired. This means that devices only peripherally related to the suspect can be tapped.
  • the provision that allows court approved access to "any tangible thing" as long as it's related to a terror investigation. The concern here is that there is no check on this provision. It specifically prohibits using things or activities protected by the First Amendment, but as we learned last week, the FBI is not above violating civil liberties.
  • Third is the provision that allows the surveillance of foreign nationals because they are foreign nationals. No connection to known or suspected terrorists or criminals necessary. The ultimate expression of "us vs them" mentality. Why are all the people protesting SB1070 screaming about this one?

The terrorist threat is real. It's not going away. But giving up our civil liberties does less to protect us than it does to provide the government access to our lives that it should not have. The biggest domestic contributor to the success of of the 9/11 attacks was lack of communication between intelligence agencies and even lack of communication within agencies. The Department of Homeland Security was created in part to correct that problem, but two years ago we learned that there has been little or no improvement. Giving government agencies access to more information when they don't even communicate the information they have effectively does nothing to improve security and much to invite abuse. Write your representative and tell him to let these provisions expire.

Sony looking for anyone posting PS3 hack

Sony is threatening to sue anyone who is posting or distributing the PS3 hack refined and distributed by George Hotz. According to David Kravets of the Threat Level blog it doesn't end there. Sony is requesting a judge order Google to turn over the the number, names, IP addresses and all comments by people who viewed the video of the jailbreak on youtube.

Sony is claiming that jailbreaking will eat into PS3 games sales, and has demanded (and the judge granted) that Mr. Hotz turn over all of his computer equipment to them. The whole situation is ludicrous. The exact same activity that Sony is up in arms about is entirely legal on a cell phone. Until recently the PS3 didn't have the protections that George Hotz is being sued for circumventing, and Sony didn't mind if other software was put on the PS3. Even Linux was ok, and that made the PS3 useless as a game console. Modders, the people who would be most likely to use this hack, are a small minority of PS3 gamers.

This problem isn't there because of George Hotz. This problem exists because Sony removed functionality - the ability to install homegrown software on your PS3. What gives them the right to do that? Should GM be able to disable your CD player after you've paid off your car? I would hope that the Judge would boot Sony out of court. But he won't. Hopefully common sense will rule the court and jailbreaking your PS3 or other game console will be legal.

Did the Internet kill privacy?

That's the question asked by CBS. To emphasize the public nature of the internet they talk about the case of Ashley Payne. I blogged about her in a previous blog that has disappeared from the face of the internet, but her story is not unusual. She was a teacher who took a vacation in Europe and posted the pictures on Facebook. One of them had her holding a glass of wine and a beer. Someone complained in an anonymous email, and she was giving the option resigning or being suspended. She chose to resign, but is fighting to get her job back.

So has the internet killed privacy? Is the plight of Ashley Payne and others who have found their lives radically changed by information they thought was secret being exposed online the fault of the internet? Is it the nature of the internet to expose everything? Is our choice to live with our every secret potentially exposed or remove ourselves from modern society?

I don't think the internet has killed privacy. But the people who use the internet have dealt privacy some serious wounds. Between companies gathering all the data they can get their hands on and the government doing the same (admit it or not) it is almost impossible to maintain any level of privacy. Even if you never go online you leave an unbelievable trail with information on your spending habits, medical conditions, and general interests. If you don't have a credit card or checking account you might keep your spending habits under wraps.

If you don't have a credit card or checking account I'm not to sure you have a computer to read this on, so the privacy perils of the internet may not concern you. Some perils are understood by most people. Virus' and spyware are easy to understand. But the bigger problem - or less guarded against - is human nature. Everyone has, to a greater or lesser degree, a desire to be noticed or recognized, a desire to know secrets, and once we know them, a desire to tell them. The internet makes it possible to do all three. And do them while having the illusion of being secret about it.

It's that last part that is the biggest problem. We place things online, whether it's on Facebook, on a blog, or on a personal web server we think is private because we only give friends access. The fact is, if it's connected to the internet then the possibility someone else will get the information and spread it is there. If it's on a site like Facebook it's a lot more likely. If it's on Facebook and you have more than 2 or 3 friends it becomes almost a certainty. It makes us our own worst enemy. We want to share information, but we also want to control what happens to it after we share it. Unfortunately you can't require signing a nondisclosure agreement before friending someone on Facebook or your personal website. Well, you could, but you wouldn't very popular.

For someone like a teacher it becomes almost inevitable. If you share things online and some of those things might be considered objectionable they will come back to haunt you. All it takes is someone to share them and someone with a gripe to decide to use it against you. It may seem like a stretch, but Ashley Payne can tell you it's a short one.

Senator Ron Wyden questions ICE about domain seizures

Nate Anderson at Ars Technica reports that Oregon Senator Ron Wyden has noticed ICE's seizure of Internet domains over the last several months, and he is not amused. He has sent the head of ICE ten questions he wants answered regarding the handling of those seizures. It's not the first time Mr. Wyden has spoken out against the governments methods (or proposed methods) of combating copyright infringement. In a story on (about the domain seizures) it was also reported that he put the Combating Online Infringement and Counterfeit Act on hold before the end of the last congressional session.

The senator noted that some of the sites taken down might not have done anything illegal. One,, is a Spanish site that has been declared legal multiple times by Spanish courts. Another,, hosted music that had been sent to him for promotional purposes by record executives. Senator Wyden wonders just what type of checking ICE did before taking these domain names. Did they engage in crimes, or did ICE play enforcer for the content providers who provided a list of offending domains? And how does a site that is putting up songs sent to it for that purpose by record executives? Why didn't the site owner provide proof that it had permission to put the songs up? Because it was never offered the chance. The domain was seized without ever notifying owner of that his site was being accused of illegal activity before the domain was seized.

Ron Wyden has questioned many of the governments efforts to extend it's power to invade citizens privacy. He's tackling problems like the police's ability to track you without a warrant using your cellphone and the true effect of ACTA on U.S law.

Ron Wyden is asking the right questions. What will happen if we tie our laws to the laws of other countries? Is it right to seize the property of others with only the claim of infringement by other parties? What is the real effect of file sharing? Should the police be able to track us without a warrant? All are questions that need careful consideration and thoughtful effort put into finding the answers. But until I heard about Ron Wyden it seemed that no one in Washington was asking them. Ron Wyden seems to remember who he was voted into office to represent.

If only there were more in Washington who did.

TSA tests new scanner software. Security theater now PG

Amar Toor at reports that the TSA is trying out new software on some of their full body scanners. The software doesn't display an image of the person being scanned, it only shows a generic male or female image with the suspected contraband highlighted.

This is great when it comes to personal privacy. But it's a massive fail as a security measure. The ability of the scanners to pick up the explosives used by the underwear bomber is still in question, and circumventing the scanners is dirt simple, anyway. As security theater, it's a great show. As real security it gets a raft of golden raspberry's.