Every Click You Make - washingtonpost.com

This article discusses the risk from "deep packet inspection" by ISPs. The article states that at least 100,000 people in the US are being tracked with this technology right now. If true, the impact of this could be huge. Whereas a website can only track you when you are actually visiting that site, your ISP can see all of your activity on any website or other service you use. The idea is that the information collected could be sold to advertisers to better target marketing messages to you. If you had been looking at car sites, you might see more car ads next time you visit an advertising supported website like CNN.com.This is certainly not the realm of science fiction. The Chinese government is already using this technology on a massive scale as part of their national censorship infrastructure. They use it to detect forbidden words and phrases, "Tibet" being at the top of that list right now.Most of us assume that the bad guys are "out there" on the net, and assume that our ISPs are basically just passing our traffic along without looking at it. If they start this kind of inspection, it opens all kinds of additional risks. Once the equipment is there, a rogue sysadmin could tune it to watch for passwords, personal information, bank information, etc. It opens a whole new set of vulnerabilities.Anonymizer's Total Net Shield, and Private Surfing (with full time SSL enabled) provide significant protection against this threat. Both allow you to tunnel your traffic to Anonymizer without the ISP being able to inspect it, other than to see that it is going to Anonymizer.It is shocking to me that this kind of thing should be possible without explicit user consent. Maybe we need a "truth in labeling" law for Internet service providers.  A bottle of Napa Merlot can not be so labeled unless it is from Napa and made from merlot grapes. Similarly, it should not be called an "Internet Connection" if you can't go everywhere (some ISPs are restricting certain perfectly legal protocols). If the ISP is going to spy on you, it should be in big red letters. Maybe I am OK with that, but I certainly have a right to know in advance.

Firewire enables direct hack against any OS

Tool Physically Hacks Windows - Desktop Security News Analysis - Dark ReadingI am not sure how this has been true for years, yet has received so little attention. This article discusses the fact that Firewire connections enable direct read and write to a computer's RAM. In many ways, this is even better than the RAM persistence I blogged about a while back. It appears to be easy to write a script that would run on an iPod or other Firewire device which will allow you to grab passwords from memory, bypass login screens, and gain access to the local drive. The amazing thing about the memory access is that it actually bypasses the CPU entirely. Normal security software will not pick this up at all. PCMCIA and Firewire are designed to work this way. It is a "feature" not a "bug". Never the less, it is a huge security issue. If your computer is under the physical control of another person, you are in trouble. Hard drive encryption is the solution, but only if the computer is OFF. If it is on, then the password can be grabbed from memory. There is really no solution to that problem.There are two actions one can take. First, you can physically disable your Firewire capability if you need to leave your computer running unattended. Second, you can make sure you never leave your computer running unattended in an insecure location, and that the hard drive is encrypted securely. This second suggestion is the same solution as for the RAM persistence attack.

VoIP: Who Might Be Spying on Your Communications? (Hint — It's Not Just the NSA) - VoIP News

VoIP: Who Might Be Spying on Your Communications? (Hint — It's Not Just the NSA) - VoIP NewsThis somewhat simplistic article makes the case that one should not consider VoIP to be a secure replacement for land line phones. It too is vulnerable to a number of governmental and criminal interception attacks.

Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'

Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'This is a nice little article arguing against the idea of Brin's Transparent Society as a solution to the privacy problem. I suspect David Brin would object to the characterization of his work as presenting it as a panacea, but many do so argue.Bruce argues that the relative power disparity makes for un-equal results in the two direction of observation. From my perspective, the idea of enabling the public to watch the government surveillance apparatus is completely unrealistic. It would enable our enemies (and as a nation the US does have real enemies) to reverse engineer and avoid our surveillance. The best one can realistically hope for is very rigorous oversight (which has also seemed unrealistic of late).At the same time the spread of cameras, facial recognition, RFID, etc., is rapidly increasing the level of surveillance of the general population. The only place where observation and recording by the people seems to be really effective is in issues of corruption or abuse of power. Rodney King being an obvious (and ambiguous) example. 

Security and Privacy Aren't Opposites

What Our Top Spy Doesn't Get: Security and Privacy Aren't OppositesWow, I don't know how I missed this one back last month! I wish I had written this essay. The key point is that privacy is not the antithesis of security. Most of the privacy invading "security" solutions we see are what I call "placebo security" and Bruce calls "security theatre" . Things like the "don't fly list" which appears to catch orders of magnitude more innocents than terrorists, and the national ID card when all the terrorists had legally issued valid ID already.In fact, many measures seriously damage security, like putting personal information in the clear on drivers licenses, including Social Security Numbers in many cases! It is an axiom of security that valuable information will leak and people with access will abuse that access. The more control a government demands, the more  oversight is required. That was my real problem with warrantless wiretapping. Not the wiretapping, but the warrantless. Surveillance of anyone at any time for any reason is the hallmark of a police state. The key is independent oversight. The debate on how that should be done must be open an honest.The security vs. privacy debate seems to me to be built on dishonest assumptions. It tends to be rhetoric and political point scoring on both sides with little discussion of whether the proposed solutions or changes actually improve security, what the real trade off is, and whether that trade is worth while.We are currently being asked to sacrifice enormous amounts of privacy and freedom to confront a threat that is miniscule compared to smoking or drunk driving, threats about which few would make such arguments. 

How to physically take a computer without interrupting the power.

One of my folks at Anonymizer pointed me towards this site WiebeTech HotPlug as a follow up to my blog post yesterday about recovering data from RAM after it has been removed from power. The HotPlug tool is sold to law enforcement to enable seizure of a computer without ever turning it off. The system has several methods that allow a running computer to be transitioned to a portable UPS system without causing the computer to shut down or react in any way. It can then be transported to a lab with the OS still running.As an additional clever trick, they have a USB dongle called the "Mouse Jiggler" which simulates a mouse making constant small motions, thus preventing a screen saver from ever activating. This allows the attacker to take all the time he needs without worrying about a password protected screen saver, or any other inactivity based security trigger, activating.All this enables the attacker to get the computer back to controlled laboratory conditions before trying to access the machine or pulling the power to capture the RAM image. Yet another argument for not walking away from a running computer with sensitive information. 

Whole disk encryption highly vulnerable to physical attack.

Center for Information Technology Policy » Lest We Remember: Cold Boot Attacks on Encryption KeysThis  paper provides real experimental data on an interesting attack on computer security. Rather than focusing on cracking keys or breaking cryptosystems, it looks at recovering data and keys directly from computer RAM. The authors show that a computer's RAM can be recovered with few errors several seconds after power has been removed, and that can be extended to several minutes if the memory is cooled well below zero.Squirting the chips with a can of compressed "air" can cool it enough to give you minutes of working time. Plenty of time to drop it in liquid nitrogen, which would give you over an hour with almost zero loss of information.The process for recovering the data from the memory chips is simple and requires no special equipment at all.The big threat here would be in situations where your computer is stolen in a sleep state. The password protection will make it very hard for an attacker to get access to the machine without a reboot, but the attacker has all the time in the world to cool the chips before pulling the power. From a behavior point of view, it says that you should take care to actually turn your computer OFF if it is going to be out of your physical possession, or if there is risk of it being seized without notice. Leaving your computer on and sleeping, but protected with a screen lock, is very risky against a aggressive and technical opponent.Thanks to David Kaufman for passing this along to me. 

Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says Yes

FindLaw's Writ - Colb: Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says YesThis case raises some interesting questions about using cryptography. Not the usual ones about technical attacks, but about how strong crpyto behaves in court. In general, if someone finds an encrypted volume on your computer, is that prima fascia evidence of illegal materials and thus probable cause? Suppose it was called “my plans to kill the president”? In this particular case the defendant actually showed law enforcement people the contents of the encrypted directory, and the files located therein clearly indicated illegal content. That would seem to be his big mistake. The prosecutors are not guessing about the files in there, they know what is there already, and just want access.At the end of the day, the defendant can always decide if the punishment for contempt for not revealing the password is worse than the punishment for what will be found inside. If the contents are really bad, he is best off resisting. I can’t see anyone doing 20 years in jail to compel production of the password.Of course, in that amount of time, computers may be fast enough that brute forcing the password may be trivial. This is a real concern if the statute of limitations for your crime is very long or there is no limitation.

The Anonymity Experiment | Popular Science

The Anonymity Experiment | Popular ScienceThis is an interesting article on trying to live in the modern world without leaving any digital footprints. It is nice to see they suggested Anonymizer, unfortunately they got the facts completely wrong. They suggest that anyone could run an Anonymizer proxy, and that those people could be monitoring traffic. That is true of the TOR network, but not of Anonymizer. We own and operate all of our own servers and networks, for exactly that reason. 

Script attack for capturing your browser history

This page < Bookmark button test page > contains a nice demonstration of the ability to retrieve your surfing history from your browser. In this case, it looks for any social bookmarking sites you many have visited in the past. Obviously this could be extended to look for any other sites you might have visited. For example, this would enable an attacker to target phishing attacks at you based on the bank websites you actually visit. This shows once more the doubled edged sword of browser functionality. The scripting capabilities make possible such things as Google Docs but also enables this kind of attack. They go hand in hand. The more power you give to the scripting language the more opportunity there is to abuse that power.

Ireland to start broad data retention

It looks like the trend towards wide spread retention of traffic analysis data is spreading to Ireland, one of the last holdouts in Europe. If you want to be protected from this kind of data gathering, you need to take proactive precautions. From the SANS institute:To satisfy the requirements of a European Union (EU) directive,Ireland will begin retaining records of its citizens' emails and Internet chats. While the content of the communications will not be retained, records of the IP addresses of the participants, the time and date of the communication, and the physical size of the message would be stored. The plan would take effect within one month through a statutory instrument in lieu of introducing legislation in Parliament because the country has received notice from the EU that it is three months overdue in implementing a data retention plan. A civil liberties organization has voiced its opposition to the plan as well as the way in which it is being implemented.The group maintains that law enforcement officials will be permitted to access the retained data without court orders or warrants.

Fragile Anonymity

 Bruce Schneier, in Crypto-Gram: January 15, 2008, writes an excellent article on the ease of re-identifying "anonymized" data. The Census, research results, survey results, and many other databases are released with identifying information removed with the intent to protect the identity of the subjects in the database. It turns out that it is disturbingly easy to attach the real identities again.

A question of identity

This article What's In A Name at Design Observer, Steven Heller argues against the use of pseudonyms and anonymity in blogs. He states, but never really argues, that pseudonyms are:

  1. Cowardly
  2. Deceitful
  3. Unacceptable

Despite the fact that I blog under my real name, few may find it surprising that I disagree with his claims. In this age where every word we post will last well beyond our years on earth, one should take great care about posting anything under a real name. I hold very different opinions now than I did when I was young. I would not want to have those thoughts thrown back in my face. Many bloggers hold opinions that run counter to those of their employers. Making strong arguments that might be detrimental to ones employer could well be a "career limiting move". The fear of such retaliation is often much worse than the reality. The chilling effect on speech can be significant. Far from being cowardly, I argue that pseudonymous blogging is simply prudent in many cases.That pseudonyms are deceitful would seem to apply to only a very small subset of bloggers, those who are using a pseudonym that appears to be real but is not and which is masking a true identity that, if known, would significantly color a readers interpretation of the blog. In other words, where the choice of the pseudonyms is made with an intent to deceive. The vast majority of pseudonyms I have seen used are obviously such. There is no doubt that the author is using a pseudonym. The desire to speak from behind a mask is completely overt. In addition to security and privacy concerns, one may well choose to do this to allow the writing and arguments to stand on their own, completely apart from the identity of the writer. For example, in a forum on Israeli / Palestinian  issues, the ethnicity of a posters name is likely to completely overshadow the content of the message. A pseudonym allows the reputation of the blogger to be developed on its own. If the arguments and information are sound, the reputation with grow. Because names are not unique identifiers, the use of a real name (or apparently real name) in a blog may give an unrealistic sense of attribution.I completely support the right of people to create spaces where people must be identified. It is their right to do so, and is completely appropriate and reasonable. It is unreasonable and inappropriate to suggest that this should be imposed on the entire Internet and all communications therein. 

US drafting plan to allow government access to any email or Web search

The Raw Story | US drafting plan to allow government access to any email or Web searchNational Intelligence Director Mike McConnell is developing new policies for Internet intelligence gathering. It looks like the changes may be very broad and deep. I worry that this kind of change often has significant impacts on civil liberties while providing minimal improvements to our security.Bad guys have any number of ways of protecting their communications and activities. It is the innocent Internet user that will be caught in this bigger and tighter net. 

Consumer Advocates Seek a ‘Do-Not-Track’ List - New York Times

Consumer Advocates Seek a ‘Do-Not-Track’ List - New York TimesThis idea of a "do not track" list is very interesting but also very problematic. Right off the bat is the problem of how a website would know NOT to track you. If the default is that you be tracked, you would need to pass some kind of token to every website that you wish not to track you. This would probably be a cookie, which would would be vulnerable to deletion every time a user clears her cookies. It also puts the responsibility on the user to keep track of all the websites which might track her information and maintain that preference across all of them.This is very different from the phone number based "do not call" list, where the marketer can check against a list of numbers they should not call. In this case, the user hits the website out of the blue, and the website needs to work out whether to track or not. One solution would be for there to be some kind of universal identifier that all websites could check against the list, but this is certainly replacing one kind of tracking with a much worse kind.This could all be avoided if the default was set to "do not track" and users could opt in. Of course, almost no one would bother to opt in to the targeted tracking. This is a problem because it is exactly this kind of targeted advertising that makes so many free Internet services possible right now. Without ad targeting the advertising revenue would likely be too low to make the services viable. As usual, I am in favor of the user controlled opt out of privacy technology, without requiring the consent or support of the tracking websites. If you don't want to be tracked, tools exist (like Anonymizer) to prevent that tracking. Just use them.

Online privacy? For young people, that's old-school - USATODAY.com

Online privacy? For young people, that's old-school - USATODAY.com Being over 35, I fall in to the "old-school" category described in this article. While I have presence on a number of social networking sights I have been very stingy with the information I have posted there. I think the root cause of the high risk behavior on these sites is in the way they are used. People treat them as an extension of in person, phone, and text message communications. It is just one more mode of communication. Unfortunately this mode of communication has some significant differences. The most important is that it is generally very public, searchable, and archived. It is almost impossible to take something back once it makes its way out on to the net.

As a high school or college student, it may be cool to show the dark side of your personality and not to care what people think. 5-10 years later when you are looking for a job with a high level of trust, requiring a clean reputation, the historical artifacts floating out on the web may turn out to be a real disadvantage.

It may turn out one day that our culture comes to understand this trend and ignores youthful indiscretions memorialized on the Internet, but I would not want to bet my future on that level of forgiveness.

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise In a follow up to this post I wrote a few weeks ago, we now understand how the 1000 government email accounts were compromised. It turns out that he did it using TOR.

I have said for a long time that I am amazed that any one operates TOR servers other than government people and criminal/terrorist people. As the operator of a TOR server, you have access to the clear text of the data flowing through your server when you are the exit node (about 1/3 of the traffic typically). While the TOR documentation is clear about this vulnerability, it really understates it, and does not address what you should do about communicating with public services that do not provide an option to do end to end encryption of the information.

As a user of TOR, you are trusting the operators of the servers not to monitor your information. Dan Egerstad's attack was simply to violate that trust. He actively monitored all of the traffic through his 5 TOR servers. He ran multiple servers to increase the amount of data he could collect. He identified the government accounts by searching the captured data for simple strings that would indicate the message was an email being sent or received in the clear, then further searching for key words that would indicate is was government or military related.

Many other TOR servers could currently be searching for financial, medical, trade secret, or other information.

With any privacy service, you need to trust the operators of that service. The theory was that you would not need to trust the operators of the TOR network. The reality is that, in real world use, you do have to trust them, but you typically know very little about them. There is almost no hurdle to establishing a new TOR server. Just about anyone with access to a server can set it up as a TOR server. You must assume that many of those people will not have your best interests at heart.

My personal approach is to work with people with a long track-record of trustworthy behavior. Anonymizer has been providing services for almost 12 years. I personally have been operating privacy services since 1992. In that time I have protected millions of people and billions of web pages and emails. Our track record for integrity is long and unblemished. I think that is the kind of basis one should use for deciding who to trust.