The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | Spyware and Malware

For years I have been telling people to be especially careful when they venture into the dark back alleys of the Internet. My thinking was that these more “wild west” areas would be home to most of the malware and other attacks.

Dark Reading analyzes a Cisco report which says that online shopping sites and search engines are over 20 times more likely to deliver malware than counterfeit software sites. Advertisers are 182 times more dangerous than pornography sites.

So, I guess I need to change my tune. Be careful when you are going about your daily business, and have fun in those dark alleys!

· ·

Germany wants to spy on suspects via Web

Germany is proposing to use trojan horse software to enable surveillance of target computers. I have to wonder how effective this will actually be. They are talking about distributing it in an apparently official email from a government email address.

  1. Now that the bad guys know this, it seems likely that they will take more care with the attachments from the government.
  2. Anti-virus / anti-malware programs should be able to identify and block this software
  3. If the anti-virus software makers are convinced to leave a hole for this software, it will be a huge back door for other hackers to use to deploy their trojan horse software.

In general this seems like a high risk operation for the Germans. I suspect that it will be used rarely and very selectively.

No tags

I have seen a couple of articles recently on the third attempt by Congress to pass an anti-spyware bill (this time H.R.964 aka “The Spy Act”).

False Sense Of Security?
Even if the law is needed to intervene, it is unlikely to impact a significant fraction of the offenders, who are operating in countries and jurisdictions that are uncooperative with US law enforcement. Foreign criminal elements will laugh at these laws, and there may be a danger if the passage of a law lulls people into a sense of false security, causing them to lower their guard.

It is interesting to see the Direct Marketing Association (DMA) fighting this legislation so aggressively. The plea for self regulation clearly indicates a desire to continue using these kinds of tactics. Specifically, Dave Morgan of the Interactive Advertising Bureau (IAB) described “consent” and “prescriptive notice” as “extreme measures.” while to me these seem the least requirement for “informed consent” and should form the baseline of privacy policy.

The core principle is that people need to have the ability to know when their information is being captured, know how it will be used, and have some ability to avoid this if they so choose. Legislation that effectively embodies this will be robust against the fast changing technological background, while narrowly tailored laws are likely to be easily bypassed by new technical tricks.

No tags