Google "Street View" vans intercepted sensitive data

in , , , , , , ,

Cnet (among others) reports on Google's interception of personal information from open WiFi nodes, including passwords and e-mail.

Clearly it was poor practice for Google to be capturing and recording such information as they drove around, but the real news should be that the information was there to be captured. The intent of the monitoring of WiFi seems to be collecting the locations of WiFi base stations to improve enhanced GPS location services. This works by having your device upload a list of all the WiFi base stations it can see (along with signal strength) which the service then looks up in a database to determine your location. This requires the service to have a database of the physical location of an enormous number of WiFi base stations.

To do this, all Google would have needed to capture was the hardware address of each device. Instead they captured some of the actual data being sent back and forth as well.

It turns out that this is incredibly easy. With many of the WiFi chipsets built in to personal computers, laptops and USB adapters, one can easily download free software that will start intercepting open WiFi traffic with a single click.

The shocking news should not be that Google accidentally got this information but that anyone with bad intent could do it to you. Anonymizer will soon be releasing a video we did a few weeks back showing how someone could take control of your Facebook account using an open WiFi and almost no technical expertise at all.

If the connection between you and a website, email server, or other service is un-encrypted, then anyone near you can intercept it if you are using an open WiFi.

To be clear, open WiFi means that the underlying connection is un-encrypted. Many public WiFi sites have a login page. This is to manage usage, and provides no security to you at all.

If you get a connection before you type in a password, especially if you see a web page before you type a password, then you should assume you are on an insecure connection and therefor vulnerable.

Saving Internet Anonymity -- The Struggle is Joined

in , , , , ,

Lauren Weinstein's Blog: Saving Internet Anonymity -- The Struggle is Joined I strongly encourage anyone with a commitment to Internet anonymity to read this blog post. An organized opposition to the existence of such anonymity is growing. Of course, like attempt to clamp down on cryptography, it will only impact the law abiding while criminals use bots and other tools to circumvent the restrictions.

Between this and the push to remove the expectation of privacy from all stored emails, I am very concerned.

Google Stops Censoring in China

in , , , , ,

From the Official Google Blog (follow link for the whole post):

So earlier today we stopped censoring our search services—Google Search, Google News, and Google Images—on Google.cn. Users visiting Google.cn are now being redirected to Google.com.hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong. Users in Hong Kong will continue to receive their existing uncensored, traditional Chinese service, also from Google.com.hk. Due to the increased load on our Hong Kong servers and the complicated nature of these changes, users may see some slowdown in service or find some products temporarily inaccessible as we switch everything over.

I would expect to see China censor Google.cn very quickly (which would prevent the re-direct to Google.hk). It will be interesting to see if China will then take the next step of censoring Google.hk and possibly other Google properties around the world. It would be easy for Google to set up any or all of them to return results in chinese if the browser is detected to be configured in that language.

Google thinks you don't need privacy

in , , , ,

You Have Zero Privacy Anyway -- Get Over It This is a good article by David Adams on OSnews talking about a recent quote by Google CEO Eric Schmidt saying "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." David compares this to a similar and infamous quote by Sun's Scott McNealy.

I think the reality is not that privacy is dead, or unimportant, but that it is hard. Maintaining privacy requires thought and vigilance, now more than ever. Much as I love it, the Internet is the most surveillance enabled and friendly technology ever created.

Question from a long time customer

in , , , , , , , , , ,

A long time customer recently sent in the following question. Since it should be of broad interest, I asked his permission to anonymous post and answer it here.

How do you know that subscribing to an anonymizer does not simply mark you for observation? We all know the NSA is capable of intercepting any electronic communication, and with gajillions of electronic communications happening every second, how would the NSA (or the FBI or the CIA or whoever it is who watches us) know which of those communications to watch? Seems like the people wanting anonymity would be the first on the list. Surely they COULD, couldn't they? That is, get the subscriber lists, which would enable them to intercept communications this side of the proxy - i.e., intercept on the way out, on the way TO the proxy, BEFORE it gets securely tunneled? And no, that would not be possible with the web, but it would with email. Supposedly. This is what has been proposed to me. What do you think? Does it have any validity?

It is certainly the case that the government could, in principle, monitor your access to privacy services. As long as that access is over a strongly encrypted connection, the contents of your communication, what sites you are visiting or who you are communicating with would be protected. The strength of your anonymity is then largely determined by the number of other users of the same service with which your traffic is being mixed.

In the United States, the use of privacy tools is not restricted. Strict separation of intelligence from law enforcement functions should prevent drift net monitoring of your use of Anonymizer from leading to any kind of legal investigation. The huge number of Anonymizer subscribers would also make this difficult and highly visible.

Outside of the US it is another story. Many countries exercise much greater control over the Internet. Even if it were not blocked by the Iranian government, accessing the Anonymizer website from within Iran would be a risky activity. Once again, the key here is safety in numbers. We have run anti-censorship tools in Iran that supported over 100,000 users. With those numbers, it is awkward for the government to go after people simply for using the service. This is not to say that if you are already under observation for some other reason that it would not give them added ammunition. Privacy tools are generally very effective at keeping you below the radar, but can be much less effective once you are on the radar for whatever reason.

The reality is that there is no evidence of widespread Internet surveillance being used in the US to track users of privacy services. As long as the connection to the service is well encrypted, you should be fine.

Video: Hacker war drives San Francisco cloning RFID passports - Engadget

in , , ,

Video: Hacker war drives San Francisco cloning RFID passports - Engadget The law of unintended consequences strikes again. In an attempt to improve national security, the U.S. Government has been pushing hard for the widespread adoption of RFID tags in passports around the world. They are already in U.S. passports. The problem is that they are easily scanned from a distance (as shown in the video), and can be cloned. If the RFID chip in the passport is trusted by the authorities, then the security situation is actually worse, not better. Getting real passport information from someone used to be hard. It generally involved actually stealing the passport. With the scanner, one could produce large numbers of clones while simply standing around the airport with the antenna in ones roller luggage (staying out side of security).

The long range readable RFID tags also make possible all kinds of other tracking and identification. The video talks about correlating personal information from RFID enabled credit cards with the passport number to produce even better fakes.

Distribution of such devices around a city would provide much better and more accurate and automated tracking of a population than cameras with their resolution, and facial recognition issues.

Surveillance of Skype Messages Found in China - NYTimes.com

in , , , , ,

Surveillance of Skype Messages Found in China - NYTimes.com Activists at Citizen Lab, a research group at the University of Toronto, have discovered a massive program of surveillance against Skype in China. Specifically the Chinese are monitoring instant message traffic on Tom-Skype, a joint venture between eBay (the owner of Skype) and a Chinese wireless operator.

It looks like all of the text messages passing through the service are scanned for key words of interest to the Chinese government. This program captures both messages within the Tom-Skype network and between that network and the rest of the Skype network.

This is yet another compelling argument for using strong encryption to prevent interception of message content. People in China can avoid this surveillance by using the non-chinese version of Skype, and using a VPN to get the communications safely out past the Chinese scanners.

Chinese Bloggers Scale The Great Firewall In Riots Aftermath - WSJ.com

in , , , , , ,

Chinese Bloggers Scale The Great Firewall In Riots Aftermath - WSJ.com In a triumph of low tech, Chinese bloggers are evading the Chinese national censorship system by simply converting their posts to read right to left rather than left to right.Clearly this is only a short term solution, and the government will adapt quickly, but it shows again how brittle these censorship systems are. 

Charter's Web monitoring draws intervention from Capitol Hill | The Iconoclast - politics, law, and technology - CNET News.com

in , , ,

Charter's Web monitoring draws intervention from Capitol Hill | The Iconoclast - politics, law, and technology - CNET News.comIt looks like Charter may not start monitoring its user's web activity after all. We shall see... 

High resolution tracking through cell phones

in , , ,

It appears that a company is now selling a tool that will allow high resolution tracking of the motion of customers through stores and malls by triangulating on their cell phones. The technique involves tracking the phone through its globally unique IMEI number. The company claims that this is anonymous because only the phone company knows the correspondence between the IMEI and the customer's real name.I have very little faith in that protection. There are simply too many ways one might extract that kind of information, which could then become widely available. One could even connect the location information and IMEI data to checkout records. After a couple of trips, it would be fairly unambiguous. This is certainly clever, but disturbing. There is no opt-in or opt-out, and the tracking takes place passively with no ability for the user to detect that it is going on.Shops track customers via mobile phone - Times Online

The strength and weakness of Internet activism

in , , , , , ,

Fledgling Rebellion on Facebook Is Struck Down by Force in Egypt - washingtonpost.com  For a short time Facebook became the center of a fledgling activist movement in Egypt. Over 74,000 people registered on a Facebook page devoted to this issue. It became the primary communications path for this group, and enabled its explosive growth. It also contained the seeds of its rapid unwinding and the arrest and beating of the creator of that page.To me this is yet another example of the "On the Internet nobody knows you're a dog" syndrome. People feel so comfortable in front of their computers, they will say and do things they would fear to do in public or face to face. Facebook is in no way anonymous, nor does it claim to be. While there are many tools that could have enabled these people to operate and organize anonymously, there is no evidence that they used any of them.The Internet is very powerful, but it is also very public. People wishing to use it in repressive countries need to take special care to protect themselves and their visitors. 

ISP admits to collecting web surfing data.

in , , ,

I encourage everyone to read this article by Declan McCullagh: Q&A with Charter VP: Your Web activity, logged and loadedThe gist is that Charter Communications, the third largest cable operator in the US, is testing a system to capture the URLs you visit when you browse the web, then provide that information to advertising networks through a third party company, NebuAd. They claim this information is "anonymized", but I can't really see how that is possible. If a company wants to target car ads at people who visit many car websites, then the advertiser must know that you have done so when you are shown the ad. Since they have your IP address, they know who you are (or at least have personally identifiable information).While the advertiser may not get the actual web logs, this is a huge amount of information, and I am sure more could be gathered by a clever and systematic set of advertising targets. For each narrow target, capture information on which users match the target criteria when there is an opportunity to show them an ad.The obvious solution is to prevent the ISP from gathering this information in the first place. Any kind of encrypted tunnel, like those provided by the various Anonymizer solutions, will prevent this kind of commercial espionage on their users.

Every Click You Make - washingtonpost.com

in , , , ,

This article discusses the risk from "deep packet inspection" by ISPs. The article states that at least 100,000 people in the US are being tracked with this technology right now. If true, the impact of this could be huge. Whereas a website can only track you when you are actually visiting that site, your ISP can see all of your activity on any website or other service you use. The idea is that the information collected could be sold to advertisers to better target marketing messages to you. If you had been looking at car sites, you might see more car ads next time you visit an advertising supported website like CNN.com.This is certainly not the realm of science fiction. The Chinese government is already using this technology on a massive scale as part of their national censorship infrastructure. They use it to detect forbidden words and phrases, "Tibet" being at the top of that list right now.Most of us assume that the bad guys are "out there" on the net, and assume that our ISPs are basically just passing our traffic along without looking at it. If they start this kind of inspection, it opens all kinds of additional risks. Once the equipment is there, a rogue sysadmin could tune it to watch for passwords, personal information, bank information, etc. It opens a whole new set of vulnerabilities.Anonymizer's Total Net Shield, and Private Surfing (with full time SSL enabled) provide significant protection against this threat. Both allow you to tunnel your traffic to Anonymizer without the ISP being able to inspect it, other than to see that it is going to Anonymizer.It is shocking to me that this kind of thing should be possible without explicit user consent. Maybe we need a "truth in labeling" law for Internet service providers.  A bottle of Napa Merlot can not be so labeled unless it is from Napa and made from merlot grapes. Similarly, it should not be called an "Internet Connection" if you can't go everywhere (some ISPs are restricting certain perfectly legal protocols). If the ISP is going to spy on you, it should be in big red letters. Maybe I am OK with that, but I certainly have a right to know in advance.

Yahoo posts pictures of wanted Tibetans

in , , , ,

Yahoo and MSN helping to root out Tibetan rioters | The ObserversYahoo China posted pictures of "most wanted" Tibetan protestors on Yahoo! China's home page. Cooperation with lawful process in a repressive country is bad enough, here they are actively collaborating. Yahoo!'s claim that this was done by Yahoo! China, not by the Yahoo! mother-ship, seems disingenuous at best.Active support of censorship and oppression is clearly unethical. If this is not clearly on the wrong side of the line, then what in the world is?

VoIP: Who Might Be Spying on Your Communications? (Hint — It's Not Just the NSA) - VoIP News

in , ,

VoIP: Who Might Be Spying on Your Communications? (Hint — It's Not Just the NSA) - VoIP NewsThis somewhat simplistic article makes the case that one should not consider VoIP to be a secure replacement for land line phones. It too is vulnerable to a number of governmental and criminal interception attacks.

Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'

in , ,

Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'This is a nice little article arguing against the idea of Brin's Transparent Society as a solution to the privacy problem. I suspect David Brin would object to the characterization of his work as presenting it as a panacea, but many do so argue.Bruce argues that the relative power disparity makes for un-equal results in the two direction of observation. From my perspective, the idea of enabling the public to watch the government surveillance apparatus is completely unrealistic. It would enable our enemies (and as a nation the US does have real enemies) to reverse engineer and avoid our surveillance. The best one can realistically hope for is very rigorous oversight (which has also seemed unrealistic of late).At the same time the spread of cameras, facial recognition, RFID, etc., is rapidly increasing the level of surveillance of the general population. The only place where observation and recording by the people seems to be really effective is in issues of corruption or abuse of power. Rodney King being an obvious (and ambiguous) example. 

Security and Privacy Aren't Opposites

in , , , , ,

What Our Top Spy Doesn't Get: Security and Privacy Aren't OppositesWow, I don't know how I missed this one back last month! I wish I had written this essay. The key point is that privacy is not the antithesis of security. Most of the privacy invading "security" solutions we see are what I call "placebo security" and Bruce calls "security theatre" . Things like the "don't fly list" which appears to catch orders of magnitude more innocents than terrorists, and the national ID card when all the terrorists had legally issued valid ID already.In fact, many measures seriously damage security, like putting personal information in the clear on drivers licenses, including Social Security Numbers in many cases! It is an axiom of security that valuable information will leak and people with access will abuse that access. The more control a government demands, the more  oversight is required. That was my real problem with warrantless wiretapping. Not the wiretapping, but the warrantless. Surveillance of anyone at any time for any reason is the hallmark of a police state. The key is independent oversight. The debate on how that should be done must be open an honest.The security vs. privacy debate seems to me to be built on dishonest assumptions. It tends to be rhetoric and political point scoring on both sides with little discussion of whether the proposed solutions or changes actually improve security, what the real trade off is, and whether that trade is worth while.We are currently being asked to sacrifice enormous amounts of privacy and freedom to confront a threat that is miniscule compared to smoking or drunk driving, threats about which few would make such arguments. 

Finnish government blacklists 'free speech' site.

in , , , ,

Finnish government blacklists 'free speech' site | The Iconoclast - politics, law, and technology - CNET News.comHere is another Declan article that deserves more attention. In this case the Finnish government is censoring a website for publishing a list of websites he discovered to be on a secret censorship black list compiled by the Finnish government. Censoring someone for trying to speak out about censorship is almost always a bad idea. As one might expect, free speech advocates around the world have mirrored the black list so many times and in so many places, it will be just about impossible for the Finnish government to contain the spread.