Saturday, February 19, 2011

How to spot an ATM skimmer

Have you heard about ATM skimmers? Brian Krebs of "Krebs on Security" has written several articles about them, and they've appeared in national news stories a few times this past year. Recently he wrote "Having a ball with ATM skimmers," about a skimmer/camera combo discovered at a bank in Sun Valley, CA.

I don't think we have a problem with skimmers in Lubbock, but they're getting cheaper and are easily available online. So I thought now might be a good time to provide some education on how to spot skimmers. So here is a video from the Commonwealth Bank of Australia:


Criminal Friends on Facebook

I'm sitting here watching TruTV's "Dumbest Criminals 25" and the very first dumb criminals robbed a house with a camera - apparently hidden, but maybe not. It captured them stealing around $11,000 worth of electronics and jewelry. When the owners got home they reviewed the footage and instead of giving it to the cops they put it up on Facebook. One of their Facebook friends ID'ed one of the thieves (he had a great full face shot) - who was another of the victims Facebook friends. How did the criminal know the house would be empty? The victim posted a status update saying they would be gone and when they would be back.

I don't know how well the victims knew the thief. I don't know if they were longtime friends or it was just someone whose friend request they'd accepted. Obviously they didn't know him as well as they thought.

Facebook and Twitter are great for keeping up with friends, letting family know what's going on in your life, and seeing what your favorite celebrities publicist wants you to think the celeb is thinking. But it is not a safe haven. There are loop holes and tricks to see members information even if you're not their friend. So even if all of your friends are people you know and trust, you should avoid posting realtime information about your activities. It's not hard for crooks to figure out you're not home, but why make it easier?

Copyright lawsuits have a hard time in Texas, and rightly so

My original plan for todays blog was to talk about the EFF's Deeplinks blog post, "Don't Mess With Texas: Another Texas Judge Scrutinizes Mass Copyright Litigation." But before I could do that, I saw "6,374 DISMISSED John Doe Defendants cheer as the LFP Internet Group lawsuits go down in flames," on the TorrentLawyer blog.

I'm proud of the Texas judges who are upholding civil liberties. I'm not defending illegal file sharing, but I am defending the right of the accused to due process. The plaintiff's lawyers in these cases try to treat it more like a racketeering case, filing one suit against all of the John Doe defendants. As Corynne McSherry of DeepLinks put it:

In his orders, Judge Furgeson notes an essential feature of mass copyright litigation: unlike the normal case, in which a defendant is notified of early case developments and can intervene to protect his or her interests (such as by opposing a plaintiff's request to send out subpoenas), the Does in these cases are unlikely to have any idea a lawsuit has been filed, much less that the plaintiff is seeking their identity. Appointing an attorney ad litem for limited purposes is one way to address that problem and help ensure that the Does receive the same constitutional protections that must apply to any defendant, in any litigation.

Filing one suit for hundreds, even thousands of John Does allows the plaintiff's attorneys to proceed with the case without paying filing fees for most of the defendants. Most of the defendants also don't have lawyers, so there is little opposition to whatever the plaintiffs lawyers do. One thing Judge Furgeson has done is consider appointing attorneys for the John Does. He also severed each of the John Does from the primary case. noting that the plaintiff has not offered any proof of conpiracy, and just because a group of people are doing the same thing does not mean they are conspiring or working together.

Because the judge severed each of the defendents, if the plaintiff wants to sue them he will have to sue each individually, paying the filing fees for each case. That will get expensive very quickly. They would also have to file in the correct jurisdiction, another problem with the John Doe cases that have been filed recently in movie sharing cases.

The RIAA and MPAA have a right to protect their interests, but they need to realize that this is not 1980. Although they could look back to the late '70's and early '80's and maybe learn a few things. Then it was the VCR that was the doom of the movie industry. A solution was found then, and once the RIAA and MPAA quit panicking one will be found now. Independent musicians and film makers are using the very things causing traditional content providers problems to promote themselves as they've never been able to before. Instead of suing current and potential customers they should be finding ways to turn make use of the new technologies. And in case nobodies noticed, all their encryption and lawsuits haven't even managed to slow down file sharing. Instead of trying to cut heads off the hydra, they should be seeking a way to harness the beast.

House extends shredding of citizens rights. Battle moves to the Senate.

UPDATE: The Senate has passed a 3 month extension of the Patriot Act (the House extension is until Dec. 8th) with a Judiciary Committee hearing on S. 193 expected soon, according to a report by the <a href="http://epic.org/2011/02/senate-house-pass-limited-patr.html" target="blank">Electronic Privacy Information Center</a> (EPIC>.

On Valentines Day members of the House of Representatives showed their love for their constitutents by passing the Patriot Act extension. I talked last week about the reasons to let the Patriot Act expire. The Patriot Act is too open ended and gives the government too much power to spy on people - citizens and non-citizens without verifiable reason. According to the Electronic Frontier Foundation (EFF) the justification for last years extension by claiming a need to study proposed changes. But this years extension was passed without hearing or amendments, or apparently any reason given for not allowing discussion before the vote.

The House has passed the extension, but it still has to get through the Senate. The EFF reports that there are three Patriot Bills that could go to the floor - unless the Senate leadership chooses to put the House bill on the floor for a vote. All of these bills extend the Patriot Act, but only S.193 contains changes to provide oversight and accountability for the governments use of Patriot Act powers. The American Library Association supports S.193, which is a plus. The ALA has been fighting for stronger protections from the Patriot Act almost since it's inception. It also has the support of:

It's time to contact your senator. The senate website is here. There is a pull down menu in the upper right corner to get your senators contact information. If you're in Texas, I'll make it easy for you:

Cornyn, John - (R - TX) 517 HART SENATE OFFICE BUILDING WASHINGTON DC 20510 (202) 224-2934

Hutchison, Kay Bailey - (R - TX) Class I 284 RUSSELL SENATE OFFICE BUILDING WASHINGTON DC 20510 (202) 224-5922

Tell your Senator not to extend the Patriot Act. Or if they feel it must be extended, the bill to back is S.193.

IE9 and Firefox will have "Do not track" features

The upcoming versions of Internet Explorer and Firefox will include "Do Not Track" capabilities, but the way they do it is quite different. IE uses blacklisting, which will work, at least for a while. Firefox is implementing a header that will be sent to sites to tell them you don't want to be tracked. Which will work as long as enough sites agree to support the header.

The Mozilla blog gives a little more information on the "Do not track" header and links to another blog with more technical information on the "Do not track" header.

Ed Bott of ZDNet.com gives a very good explanation of how "Do not track" works in IE. It is part of a series of blags on internet tracking.

"Do Not Track" needs to be done. But I am concerned that these measures are being done without regard to the far reaching effects of blocking tracking and ads. Much of the free information on the internet is paid for by gathering information on the people who visit websites. Cutting off that revenue stream cold turkey could completely change the face of the internet, causing sites to go out of business or change business models radically. Privacy and control over information about us is extremely important, but we have to be careful we don't shoot ourselves in the foot trying to fix our problem.

Two privacy bills introduced by Representative Jackie Speier (D-Calif)

The Privacy and Information Security Blog reports that Representative Jackie Speier (D-Calif.) has introduced legislation to protect consumer privacy. The legislation is in the form of two bills, the "Do Not Track Me Online Act of 2011" (HR 654) and the "Financial Information Privacy Act of 2011" (HR 653). They are supported by several consumer and privacy advocate groups.

I have downloaded the bills, and have read all of HR 654. It's interesting. It requires a mechanism for people to opt out of data collection - a clear and straightforward mechanism. It also grants the FTC the right to exempt some practices from this bill. There are examples of what types of practices can be exempted, but this provision has some potential for abuse. It also has some teeth in it, although they seem a little limited, considering the size of some of the companies we're talking about. There are fines not to exceed $11,000/day of non-compliance with a maximum fine of $5,000,000. That's a lot of money, and would bankrupt a lot of companies. Other companies will feel the sting of widespread publication of their violation more than a mere $5,000,000.

This bill is a step in the right direction. Requiring that tracking be opt-in rather than opt-out would be better - if we can figure out a way to do that without destroying the internet as we know it. At this point most people are trained to expect free content. They don't realize that all of those 'free' sites they use are paid for by the information gathered about them and sold or used to target advertising. Kill that revenue stream and most, if not all, free sites would have to either shut down or charge for use. So until we can figure out a how to do that without killing the internet, Jackie Speier's "Do Not Track" bill is a good starting point to bring privacy to the internet.

I haven't read all of HR 653 yet, but I like the requirements for the opt-in form:

  • (e) CONSENT FORM REQUIREMENTS: An express consent form complies with the requirements of this subsection if it meets the following criteria:

  • (1) It is a separate document, not attached to any other document.
  • (2) It is dated and signed by the consumer.
  • (3) It clearly and conspicuously discloses that by signing, the consumer is consenting to the disclosure to nonaffiliated third parties of nonpublic personal information pertaining to the consumer.

  • (4) It clearly and conspicuously discloses:
  • (A) that the consent will remain in effect until revoked by the consumer;

    (B) that the consumer may revoke the consent at any time; and

    (C) the procedure for the consumer to revoke consent.

  • (5) It clearly and conspicuously informs the consumer that:
  • (A) the financial institution will maintain the form or a true and correct copy;

    (B) the consumer is entitled to a copy of the form upon request; and

    (C) the consumer may want to make a copy of the document for the consumer's records;

  • (6) Such other criteria as the Bureau of Consumer Financial Protection may determine appropriate.

HR 653 requires that financial institutions make data disclosure of customers to non-affiliated financial institutions an opt-in activity. Non-affiliated just means an institution that is not controlled by, controlling, or controlled by a common entity. For example, if two banks in Lubbock have different names and different leadership, but both are owned by the same company, they are affiliated. If one owns the other, they are affiliated. If both are independently owned and do not have any leaders in common, they are non-affiliated.

From what I've read, this bill is good news. It requires financial institutions to hold personal information in confidence unless specifically given permission to release it to third parties. Banks are not in danger of going out of business if they can't sell customers data. It is not a core part of their business model. This will be a win for people's right to control their data.

Selling customers information should never have become part of any companies business model, but it happened almost before anyone noticed with the growth of the web. These two bills are a good beginning at correcting that problem. Write your representative and tell him or her to support these bills.

Google offers all users 2 step login

Google announced yesterday that it will be offering free two step logins free to any user that wants it. What Google is calling two step the security industry calls two factor. There are three factors that can be used to identify a person:

  • Something the user knows: Birthday, birthplace, 5th President of the U.S., pass code
  • Something the user has: Key, Swipe card, RFID chip
  • Something the user is: Fingerprint, Retina print, DNA
  • What Google is offering is the option to get a second factor - something you have - to the existing single factor username and password - something you know. When you sign up for the two step authentication you authorize Google to send a passcode to your cell phone. When you enter your username and password a second page will require you to enter the verification code sent to your cell phone by Google.

    This is a good thing. It makes it much more difficult to hack into Google accounts. I checked my account a few times yesterday. There was a notice that two step authentication would be coming to it soon. I'm looking forward to it.

Twitter much more than a social network

Twitter is the surprise contender in the free speech arena. It is also becoming a surprise tool/weapon in the fight over the line intellectual property rights and fair use.

Twitter is becoming a lot more important than anyone would have expected in the case against WikiLeaks. CNET reports that a judge has set a hearing to determine whether the Justice Department has a right to the Twitter accounts and records of several Wikileaks members, including a member of Iceland's parliament. A decision in Twitters favor could hamper Justices case against Wikileaks, but it's unlikley it would scuttle it.

I've been blogging about Sony's war against George Hotz, but today there was an amusing development. David Kravets at Wired reports that a Twitter user sent the PS3 unlock code to Sony's "Kevin Butler" Twitter account. Whoever runs the account wasn't looking and retweeted it to all 75,000 of his followers. Gotta love the irony. Sony probably sent the unlock code to more people than George Hotz ever did.

When the internet was turned off by the government in Egypt people used their cell phones to text updates to Facebook and Twitter. In the past year there Twitter has been a major source of information in several areas of unrest and civil rights abuses in the past year.

A few years ago no one would have thought a "microblog" site would become a major source of information and a major tool for the oppressed to make public their plight.

Tell your representative, "Let the Patriot Act expire"

The new Republican majority in the house outsmarted themselves by pushing the extension of three provisions of the Patriot Act as an emergency vote. That made a 2/3 majority vote necessary to pass the extension. The extension failed to pass today by just 7 votes.

An extension is still possible if a regular vote can be scheduled before February 28th. Hopefully that won't happen. The three expiring provisions are wonderful for a police state, but slow death to a society founded on the ideal that government exists for the governed, not the other way around. They are:

  • the provision allowing court approved roving wiretaps - those are taps that do not have to specify one location or device but can be moved as desired. This means that devices only peripherally related to the suspect can be tapped.
  • the provision that allows court approved access to "any tangible thing" as long as it's related to a terror investigation. The concern here is that there is no check on this provision. It specifically prohibits using things or activities protected by the First Amendment, but as we learned last week, the FBI is not above violating civil liberties.
  • Third is the provision that allows the surveillance of foreign nationals because they are foreign nationals. No connection to known or suspected terrorists or criminals necessary. The ultimate expression of "us vs them" mentality. Why are all the people protesting SB1070 screaming about this one?

The terrorist threat is real. It's not going away. But giving up our civil liberties does less to protect us than it does to provide the government access to our lives that it should not have. The biggest domestic contributor to the success of of the 9/11 attacks was lack of communication between intelligence agencies and even lack of communication within agencies. The Department of Homeland Security was created in part to correct that problem, but two years ago we learned that there has been little or no improvement. Giving government agencies access to more information when they don't even communicate the information they have effectively does nothing to improve security and much to invite abuse. Write your representative and tell him to let these provisions expire.

Sony looking for anyone posting PS3 hack

Sony is threatening to sue anyone who is posting or distributing the PS3 hack refined and distributed by George Hotz. According to David Kravets of the Threat Level blog it doesn't end there. Sony is requesting a judge order Google to turn over the the number, names, IP addresses and all comments by people who viewed the video of the jailbreak on youtube.

Sony is claiming that jailbreaking will eat into PS3 games sales, and has demanded (and the judge granted) that Mr. Hotz turn over all of his computer equipment to them. The whole situation is ludicrous. The exact same activity that Sony is up in arms about is entirely legal on a cell phone. Until recently the PS3 didn't have the protections that George Hotz is being sued for circumventing, and Sony didn't mind if other software was put on the PS3. Even Linux was ok, and that made the PS3 useless as a game console. Modders, the people who would be most likely to use this hack, are a small minority of PS3 gamers.

This problem isn't there because of George Hotz. This problem exists because Sony removed functionality - the ability to install homegrown software on your PS3. What gives them the right to do that? Should GM be able to disable your CD player after you've paid off your car? I would hope that the Judge would boot Sony out of court. But he won't. Hopefully common sense will rule the court and jailbreaking your PS3 or other game console will be legal.

Did the Internet kill privacy?

That's the question asked by CBS. To emphasize the public nature of the internet they talk about the case of Ashley Payne. I blogged about her in a previous blog that has disappeared from the face of the internet, but her story is not unusual. She was a teacher who took a vacation in Europe and posted the pictures on Facebook. One of them had her holding a glass of wine and a beer. Someone complained in an anonymous email, and she was giving the option resigning or being suspended. She chose to resign, but is fighting to get her job back.

So has the internet killed privacy? Is the plight of Ashley Payne and others who have found their lives radically changed by information they thought was secret being exposed online the fault of the internet? Is it the nature of the internet to expose everything? Is our choice to live with our every secret potentially exposed or remove ourselves from modern society?

I don't think the internet has killed privacy. But the people who use the internet have dealt privacy some serious wounds. Between companies gathering all the data they can get their hands on and the government doing the same (admit it or not) it is almost impossible to maintain any level of privacy. Even if you never go online you leave an unbelievable trail with information on your spending habits, medical conditions, and general interests. If you don't have a credit card or checking account you might keep your spending habits under wraps.

If you don't have a credit card or checking account I'm not to sure you have a computer to read this on, so the privacy perils of the internet may not concern you. Some perils are understood by most people. Virus' and spyware are easy to understand. But the bigger problem - or less guarded against - is human nature. Everyone has, to a greater or lesser degree, a desire to be noticed or recognized, a desire to know secrets, and once we know them, a desire to tell them. The internet makes it possible to do all three. And do them while having the illusion of being secret about it.

It's that last part that is the biggest problem. We place things online, whether it's on Facebook, on a blog, or on a personal web server we think is private because we only give friends access. The fact is, if it's connected to the internet then the possibility someone else will get the information and spread it is there. If it's on a site like Facebook it's a lot more likely. If it's on Facebook and you have more than 2 or 3 friends it becomes almost a certainty. It makes us our own worst enemy. We want to share information, but we also want to control what happens to it after we share it. Unfortunately you can't require signing a nondisclosure agreement before friending someone on Facebook or your personal website. Well, you could, but you wouldn't very popular.

For someone like a teacher it becomes almost inevitable. If you share things online and some of those things might be considered objectionable they will come back to haunt you. All it takes is someone to share them and someone with a gripe to decide to use it against you. It may seem like a stretch, but Ashley Payne can tell you it's a short one.

Senator Ron Wyden questions ICE about domain seizures

Nate Anderson at Ars Technica reports that Oregon Senator Ron Wyden has noticed ICE's seizure of Internet domains over the last several months, and he is not amused. He has sent the head of ICE ten questions he wants answered regarding the handling of those seizures. It's not the first time Mr. Wyden has spoken out against the governments methods (or proposed methods) of combating copyright infringement. In a story on Politico.com (about the domain seizures) it was also reported that he put the Combating Online Infringement and Counterfeit Act on hold before the end of the last congressional session.

The senator noted that some of the sites taken down might not have done anything illegal. One, rojadirecta.org, is a Spanish site that has been declared legal multiple times by Spanish courts. Another, dajaz1.com, hosted music that had been sent to him for promotional purposes by record executives. Senator Wyden wonders just what type of checking ICE did before taking these domain names. Did they engage in crimes, or did ICE play enforcer for the content providers who provided a list of offending domains? And how does a site that is putting up songs sent to it for that purpose by record executives? Why didn't the site owner provide proof that it had permission to put the songs up? Because it was never offered the chance. The domain was seized without ever notifying owner of dajaz1.com that his site was being accused of illegal activity before the domain was seized.

Ron Wyden has questioned many of the governments efforts to extend it's power to invade citizens privacy. He's tackling problems like the police's ability to track you without a warrant using your cellphone and the true effect of ACTA on U.S law.

Ron Wyden is asking the right questions. What will happen if we tie our laws to the laws of other countries? Is it right to seize the property of others with only the claim of infringement by other parties? What is the real effect of file sharing? Should the police be able to track us without a warrant? All are questions that need careful consideration and thoughtful effort put into finding the answers. But until I heard about Ron Wyden it seemed that no one in Washington was asking them. Ron Wyden seems to remember who he was voted into office to represent.

If only there were more in Washington who did.

TSA tests new scanner software. Security theater now PG

Amar Toor at switched.com reports that the TSA is trying out new software on some of their full body scanners. The software doesn't display an image of the person being scanned, it only shows a generic male or female image with the suspected contraband highlighted.

This is great when it comes to personal privacy. But it's a massive fail as a security measure. The ability of the scanners to pick up the explosives used by the underwear bomber is still in question, and circumventing the scanners is dirt simple, anyway. As security theater, it's a great show. As real security it gets a raft of golden raspberry's.

FBI may have violated U.S. citizens civil liberties 40,000 times since 9/11

The EFF released a report (pdf) last month on FBI violations of our civil liberties - of the rules that dictate how the FBI can investigate us. It covered the time period from 2001 to 2008, and showed disturbing trends in FBI investigations.

According to the EFF analysis of documents they received from freedom of information lawsuits the FBI may have had 40,000 violations in that time. The violations that were reported often weren't reported for years. The violations ranged from oversight guideline violations (failure to make reports to oversight organizations) to constitutional violations.

Part of the problem is that President Bush relaxed and even removed many of the rules on oversight of FBI operations. Without oversight any agency is likely to overstep it's bounds. President Obama has reinstated some of those controls, but hasn't clarified just what that means. This has some people concerned that the changes may be window dressing. But only time will tell.

Is Sony only loaning you the PS3?

Wired's Threatlevel blog reports that George Hotz has been ordered by the court (PDF) to turn over all of his computer equipment to Sony. He has also been ordered to recover any and all devices or instructions for getting around the security that keeps you from installing software you want on your Xbox but that hasn't been approved by Sony. Software such as a different operating system - something that was permitted until recently. That's bad enough, but the Sony has already released a firmware patch that renders Mr. Hotz's hack ineffective. Yet one of the reasons Sony wanted all of his equipment and data because his keeping it would do them irreparable harm. The irreparable harm of allowing people to make full use of the equipment they've paid good money for. The jailbreak is a massive 100k. The equipment Sony wants contains terrabytes of data. Yet less than a week after the judges ruling, a patch is out that prevents the jailbreak from working, meaning Sony will suffer no further harm. That there was any harm in the first place is arguable.

Worse, the judge ordered "the Defendant Hotz, with notice of this Order, shall retrieve any Circumvention Devices or any information relating thereto which Hotz has previously delivered or communicated to the Defendants or any third parties."

Folks, the instructions were posted on Youtube. They've been posted and reposted all over the web. Mr. Hotz and removed the Youtube video and any other copies of the information he can, but the genie is out of the bottle. Short of shutting down the internet, George Hotz can no more retrieve all copies of his PS3 jailbreak than he can put out the sun by spitting at it. That demand is impossible to comply with.

But all of this really hinges on one question: Who owns your PS3 after you've handed your $300? Software companies started the idea of licensing their products instead of selling them outright. I don't like the idea with software, and I can't stand it with hardware. The idea that when I buy a computer I can't decide to change it without permission of the company I bought it from is ridiculous. It also would have cost Sony money, had they forbidden modifications to PS3's a couple of years ago. The Department of Defense bought several thousand PS3's and installed Linux on them to create a bargain basement price supercomputer. That couldn't have happened under the current Sony rules.
How long will it take for the government to realize that the DMCA is too vague and is easily abused, and that abuse stifles innovation, opposite the intended effect of intellectual property laws?

Crazy few weeks in privacy, security, human rights

The past several weeks have seen a little crazy when it comes to privacy and human rights. Facebook became a privacy hero (although Facebook called it a security issue), went back to it's privacy invading roots, and regained a little face by making https connections an option for users. Of course, these seeming contradictions resolve into logical actions when you realize the point of view Facebooks has toward them. Facebook doesn't worry about users privacy. It worries about security. That's why it stomped on Tunisia's attempt to steal all of the Tunisian users login credentials - a security breach - but is willing to let third parties access Facebook users data without their consent.

The internet has been a great tool for activists and protestors. The last few weeks have seen it used as a tool for oppressive governments. Tunisia tried to steal the Facebook credentials of the entire population of the country. Egypt is trying to block the internet to prevent the spread of dissident ideas and information. While they haven't been able to silence everyone, they have had surprising success blocking the internet.

It has been suggested that the President should have an internet "kill switch." It has also been said that such a thing would be almost impossible to implement. I tend to agree. but with Tunisia's near success at stealing their citizens Facebook credentials and Egypt's blocking of the internet in their country, I have to wonder if that belief isn't misguided. We have reached the point that whoever controls the internet controls the chief source of information for many people. Can we trust that power to the government?