The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | Uncategorized

Google is changing its terms of service to allow them to use your name and photo in advertisements to your friends. Most people seem to have been opted in to this by default, although some (including me) have found themselves defaulted out of the program.

If you are uncomfortable with your name, picture, and opinions appearing in ads from Google, just go to Google’s Shared Endorsements Settings page. The page describes the program. At the bottom you will find a checkbox. Uncheck it, and click “Save”.

· ·

Apparently in response to pressure from China, Apple has pulled censorship circumvention app “OpenDoor” from the iTunes app store.

More info here.

No tags

Krebs on Security discovered that a major identity theft service populated its databases by raiding the vaults of three of the biggest personal information brokers, including LexisNexis, Dun & Bradstreet, and Kroll Background which does employment background, drug, and health screening.

This is very bad news. The stolen data includes SSN, birthdays, and the answers to almost any security question your bank or other sensitive website might ask.

This is further evidence of my thesis that: if the data exists, it will eventually get out.

·

MaskMe (introduced in this blog post) is an interesting new entrant in the privacy services space.

They provide the ability to provide “masked” Email addresses (like our old Nyms product), phone numbers, and credit cards.

Combined with Anonymizer Universal, you will be able to do a fairly comprehensive job of shielding your true identity from websites and services you use.

This is a brand new service, so it is hard to know how it will fair, but it is certainly worth watching.

· · ·

spider.io is talking about a bug they discovered in Microsoft Internet Explorer versions 6-10. Evidently the bug allows tracking of your mouse movement even if the browser window has been minimized and you have a different application active.

They say that at least two companies providing display ad analytics are already using this exploit to improve their analysis.

OUCH! Yet another good reason to use any browser but IE.

· ·

From Declan’s article on CNET.

The fight over the “do not track” flag continues.

In the latest version of Internet Explorer (version 10), Microsoft has made “do not track” the default setting. This makes tracking by websites an “opt in” rather than an “opt out” proposition. Privacy advocates have long favored this approach, but advertisers don’t like it.

Yahoo feels so strongly about this that they say that they will ignore the Do Not Track (DNT) flag when coming from IE 10 browsers. The open source Apache web server is also going to come configured to ignore the IE 10 DNT flag.

So, even if you explicitly want Do Not Track, and would have gone in and manually enabled it, you will be tracked by Yahoo anyway.

Ironically, this means that if you actually want to not be tracked, you need to use a different browser and manually enable the setting.

I do appreciate the effort Microsoft, and shame on you Yahoo.

· · ·

Sep/12

19

Picking Powerful Pins

Despite all the work on dual factor authentication and other new security methodologies, in general our passwords are the keys to the kingdom.

In many cases, such at ATMs, we are limited to 4 digit numeric PINs.

This post to DataGenetics does a good job of analyzing how bad we are at picking PINs and how easy we make things for the attackers.

It is worth a read.

Short answer: you can hack a over 10% of accounts by guessing “1234”.

·

In this CNET article by Declan McCulagh, he reports that the DoJ is planning to request mandatory data retention by Internet providers. Their argument is that the lack of data retention is interfering with law enforcement’s ability to investigate cases. This implies some kind of shift in the balance of privacy vs. access. No such shift has taken place.

I think that they are more frustrated by the fact that a huge potential gold mine of information is out there to which they don’t have access. Prior to the various modern technological revolutions people used pay phones, sent letters, and paid cash for toll roads.

Now they use Twitter, SMS, Facebook, Email, cell phones, electronic toll payment etc. There is way more information available to law enforcement now than before. The fact that this data retention is only on the Internet may make people feel better, but one would certainly learn more about me from my Internet activities than from following me around physically.

Lets look at what is being asked for with a real world analogy. This is like saying that the US Postal Service should photograph and database the address, and return address, on every letter which goes through the system. Physically is it like saying the cell phone company should record and retain my GPS location at all times. Either of those would actually be much less intrusive than monitoring how I use the Internet at all times.

Lets not get in to the cost of maintaining these records or the issues with leaks or hackers. Consider the Chinese attacks on dissident Google accounts. This plan would ensure that such information was much more widely maintained.

At this point it appears to be a only a request. I am curious to see how this evolves over the congressional term.

· · ·

India to Monitor Google and Skype – WSJ.com.

As an extension of their policy of pushing for access to encrypted communications on RIM BlackBerry devices, they are now demanding access to data from both Google and Skype. India is demanding that Skype and Google install servers within India so the government can access the information on Indian users.

Obviously bad guys can trivially bypass this through the use of VPNs and by taking care to use servers located outside of India. The real impact will be to open all legitimate Internet users to universal surveillance.

No tags

The Wall Street Journal has been running an excellent series of articles on commercial tracking technologies used by websites and advertisers to profile and target you. Many will be shocked by the level of detail in the collected information and the scope of its collection.

This information is used for targeting advertising, but also (and worse) for giving you different information, offers, and prices.

Your Privacy Online – What They Know – WSJ.com The main page for this set of reports

On the Web’s Cutting Edge, Anonymity in Name Only – WSJ.com: talks about some of the specific tracking technologies and how they are used.

Lawsuit Tackles Files That ‘Re-Spawn’ Tracking Cookies – Digits – WSJ talks about new kinds of tracking methods that allow you to be tracked and identified even if you change IP address and delete cookies in your browser.

Personal Details Exposed Via Biggest U.S. Websites – WSJ.com: talks about how many of the largest and best know sites on the web are actively participating in this tracking trend. In some cases the WSJ found over 100 different tracking tools on a single website.

No tags

<< Latest posts

Older posts >>