Wikipedia Spin Doctors Revealed - Yahoo! News

in , ,

Wikipedia Spin Doctors Revealed - Yahoo! News Once again, people use the Internet in inappropriate ways assuming that they are anonymous. In this case, Virgil Griffith has created WikiScanner. The idea is really simple. Look through Wikipedia for the IP addresses of everyone who has submitted edits to Wikipedia. They also provide tools to make it easy to see what changes have been submitted by people within specific organizations.

It will come as no surprise that this turns up many blatant attempts to whitewash articles about that organization (or its leaders), or to turn the Wikipedia entry in to a veritable marketing vehicle. I am amazed that people who are net-savvy enough to think of altering Wikipedia entries like this, would simultaneously be unaware that they could easily be identified while doing so.

How search engines rate on privacy | CNET News.com

in ,

How search engines rate on privacy | CNET News.com CNET has done a nice little study on the privacy policies and practices of the top 5 search engines. Their results show that their privacy policies leave a lot to be desired. In particular, Google and Yahoo never actually delete search data, and only partially "anonymize" it after over a year. As has been proven many times, the "anonymized" data can still be easily used to identify the actual identity of the searcher.

The Trial of Fake Steve Jobs - how the anonymous author was identified

in ,

The Trial of Fake Steve Jobs - Bits - Technology - New York Times Blog Here is an interesting bit of detective work. An anonymous blogger was uncovered with a combination of geographic location (pulled from IP addresses), characteristic writing patterns, and some shrewd guess work. The tracking of the IP address is the first piece of evidence they mention. Now if he had used Anonymizer.......

Sidejacking

in , , , ,

Report: "Sidejacking" session information over WiFi easy as pie

While this is not really news, it is a very nice description of a very widespread risk. This issue here is that many websites simply use a serial number in a cookie to keep track of user sessions. The implicit behavior is that if you have the cookie, you are authenticated and logged in. The big problem is that most of these sites are also insecure. With the popularity of insecure WiFi networks, capturing those cookies has become very easy. Once an attacker has the cookie, he can act as you for all purposes on those websites.

The simplest solutions are: enable SSL on the website (if possible), only use WPA secured WiFi, use a VPN, or use Anonymizer with the encrypted surfing option enabled (which effectively makes all websites SSL protected).

Slashdot | Web-based Anonymizer Discontinued

in

Slashdot | Web-based Anonymizer Discontinued A number of people have commented on this non-story regarding Anonymizer discontinuing services for Private Surfing. Some comments are making false or misleading statements, so I will address the issue here in hope to set the record straight.

Anonymizer chose to discontinue Private Surfing because its basic methodology was reaching the end of its useful life. The product was very effective when Web sites were simple, flat HTML. Today, most popular Web sites require active content to function. Active content presents a major problem in URL re-writing proxies; hostile code can cause the browser to make a direct connection to the server, thus exposing the user's identity.

Anonymizer's Private Surfing product used very sophisticated techniques to parse and re-write the active content to enable it to work safely. Despite our best efforts though, we felt that Private Surfing would not be able to maintain what is considered to be an acceptable level of service by Anonymizer's standards. We feel that it is not possible to provide functional active content and full security without the use of client software. To be clear, Anonymizer has only discontinued its web-based private surfing service—Anonymizer still provides client-based privacy services.

Anonymizer started the process to "end of life" Private Surfing many months ago. Subscribers were notified in advance and automatically transitioned to our latest privacy protection solution,Anonymous Surfing, at no additional charge for one year.

Anonymizer is in no way backing away from its commitment to deliver the most secure online privacy services for consumers, businesses and government organizations.

Testing if OPT-OUT really lets you OPT-OUT

in , ,

I am posting this to help the World Privacy Forum test if web advertisers actually honor their own opt-out systems. This should provide some very interesting hard data on the actual activities of big on-line web advertisers. They are running a test on the Opt Out page of the Network Advertising Initiative site and are looking for volunteers. The idea is to determine how well the opt out page is working, for which systems and which browsers. 

Here are the directions:

(To run this test, you will need to set your browser to accept cookies)

1. Open site: http://www.networkadvertising.org/managing/opt_out.asp

2. Check all of the opt out boxes you will see on the right hand column of the screen.

3. Click the submit button. (bottom of page)

4. Note how many of the opt outs were successful. (Successful opt outs will have a green check mark next to them, unsuccessful opt-outs will have a red X mark next to them. 

5. Please tell us your OS and OS version, and your browser and browser version. 

6. If you can, please send us a screen shot of your result page. 

7. Please email results to nai_test@nyms.net  

8. We are closing the test period on Thursday, July 26, at close of business (Pacific). 

Tor hack proposed to catch criminals

in , ,

Tor hack proposed to catch criminals This article is a couple of months old now, but I have been thinking about it a lot. Basically, HD Moore has created a set of tools to scan the contents of traffic leaving a TOR exit node, and to inject active tracking code into the data returned to the user. While this is possible in any anonymity system, the fact that almost anyone can run a TOR node makes the question of trust much more tricky.

I have talked to Roger Dingledine (one of the creators of TOR) about this but we seem to talk past each other. As I understand it, Roger feels that a user needs to take additional action to protect himself from such threats, including blocking all active content. He would further argue that if you are going to an insecure site, then you are putting yourself at risk. TOR is about anonymity, not security.

While all this is true, it runs aground on the reefs of reality. I am reminded of a statement by Yogi Berra: "In theory there is no difference between theory and practice. In practice there is." People want active content. People want to go to insecure websites. People want privacy. People don't want to work for it.

At the end of the day, that is really the difference between the TOR philosophy and the Anonymizer philosophy. We think that users should not need to be security experts. We think they should not have to research the trustworthiness of a number different individuals or groups. We think that the privacy threats normal people actually face in the real world are a long way from the unlimited money and resource attacks imagined by academic security researchers. Security is a balance. We strive to be secure, fast, and user friendly. I think 11 years with out a single breach of a user's identity from using the service is good evidence that we are doing something right.

CIO - China Makes Viruses for Cyberwar First-Strike

in , ,

CIO - China Makes Viruses for Cyberwar First-Strike We really have moved on from the idea of the hacker portrayed in the movie "war games". A young boy working out of his bedroom. These days it is a very professional operation, run by organized criminals, or governments in this case.

Because of the anti-censorship work we do Anonymizer has already been on the receiving end of numerous attacks out of China that appear to be government sponsored and initiated.

The Internet is now absolutely part of every nation's critical infrastructure. Cyber war provides a relatively bloodless form of attack that can do massive economic damage and potentially leave little evidence of who launched the attack. It is also a powerful leveler. Using standard hacking methods like bot nets even a tiny country or terrorist organization could inflict damage completely out of proportion to its resources.

Google Wants Shareholders to Permit Censorship

in , , ,

CIO.com - Business Technology Leadership - Google Wants Shareholders to Permit Censorship Following up on my earlier post, it is hardly surprising that Google is not in favor of this shareholder initiative. In all fairness, it would put them in a very difficult and competitively disadvantageous position.

I will be at a conference on censorship circumvention in the UK in late May, so I should have more information and insight about this issue soon. It will be good to get outside the box and talk with others who are fighting this good fight along side Anonymizer.

Google Shareholders push back on censorship

in

Wired has a blog on a shareholder initiative by Google shareholders to force the company to oppose and prevent government sponsored censorship. The initiative is sponsored by 5 major public pension funds in New York. While their voting impact is insignificant, this is symbolically a major move to raise the visibility of the impact of corporate decisions on human rights issues.

Countries continue to try to tighten their grip on the Internet

in ,

Thailand Continues Internet Crackdown - WSJ.comChinese President wants to tame Internet and spread party line

Many countries are continuing to try to exert control over the information available to their citizens. Changes in technology are forcing them to adopt new solutions to keep that control.

Traditional media (Newspaper, Magazine, TV, Radio) all have a local nexus of control that can be influenced by the government. Station managers, reporters, and editors can all be threatened or arrested to control the content of those media. For a media to be safe from influence, it must be generated and disseminated entirely outside the country in question.

The Internet is perceived as the greatest threat by restrictive governments because it enables on-demand access to information, offers much more depth than broadcast media, and two directional communications.

To minimize public backlash, these governments are presenting their censorship as protecting their citizens. In Thailand they are protecting the honor of the king and country, while in China they are preventing immoral or ideologically impure content. This is all just so much white wash to cover the effort to control the populace by controlling what they know and discuss.

Anonymizer, currently provides anti-censorship services at no cost to the people of Iran (supported by the VoA) and China (on our own). We are planning to protect the people in a number of other countries in the future. Many other organizations are also providing such solutions, creating a vibrant ecosystem of solutions which will be much harder to stop than any single solution.

It is critical that privacy organizations, as well as content providers and portals like Google, work together to actively oppose the efforts of these governments to restrict free speech and access to information on the Internet.

Historically short wave radio provided a way of getting information into a country. It was sometimes subject to jamming to keep it out. These days, almost no one listens to short wave, so its impact is minimal. Many national short wave services have been drastically reduced or eliminated.

Satellite TV can also be effective. Many countries try to limit private satellite dish ownership, however this tactic has proved to be difficult to implement effectively.

Google-DoubleClick Merger Concerns

in , ,

Google's acquisition of DoubleClick raises many major privacy concerns. Throughout the late 90's DoubleClick was the boogyman of the privacy community. More recently Google has taken on that mantle. The combination creates an information harvesting juggernaut. Google is in a position to see the search terms, and thus focus of interest, of the vast majority of Internet users. Most users start most searches or web expeditions with a Google search. Their logs contain a fairly complete history of the interests of their users going back for years.

DoubleClick has a view of user activity after the search across thousands of websites. Banner and other website ads are not actually hosted on the websites on which they appear. DoubleClick serves the content from their servers, and handles any clicks on the ads. Importantly, DoubleClick can gather your information even if you don't click on the link. Simply viewing the ad is enough for them to cookie you, to gather your IP address, and store that along with the URL you are viewing.

Combined, this enables the creation of a database most searches along with most subsequent web surfing activities. Nearly ubiquitous Internet monitoring by a single entity will be a reality after this merger. Having both the search information and the surfing activity give the answer to both the what and why of a users actions. The merged data is much more powerful than the individual components, and serve to fill in the gaps in each other's coverage.

Ironically, even Microsoft is talking about the privacy risks of this merger. Redmond | News: Microsoft Warns of Google-DoubleClick Danger

The Electronic Privacy Information Center (EPIC) has gone so far as to file a complaint with the FCC.

Mixed feelings about Whitehouse use of outside email accounts.

in , , , ,

I have been following a number of stories like this,Congress Follows Email Trail - WSJ.com, about the Whitehouse use of RNC controlled email accounts to discuss the firings of federal prosecutors. The law appears quite clear. Official Whitehouse email is a document that must be retained. Discussions of firing federal prosecutors sounds official to me. Therefore the Whitehouse was wrong to use outside email addresses to keep the discussions secret. I am not comfortable with the law in the first place. Email and other electronic communication media like chat and IM are often used more like casual conversation than formal memos. Few would argue that the President's every word should be recorded at all times. It would make discussion and debate next to impossible. In the process of thinking through an issue one may consider many potentially unpopular ideas, if only for the purpose of argument. Free and unconstrained give and take generally leads to be best understanding and decisions. Free and unconstrained debate can not take place with the world looking over your shoulder and scrutinizing every word.

If we accept that email and chat are used like conversation to hash out ideas, then it is very damaging to the process to place heavy recording and monitoring requirements on it. At the same time, having no oversight substantially reduces accountability. It might even facilitate corruption.

This really shows in a microcosm the greater question of general communications privacy vs. law enforcement access. It is a hard balancing act because there is very little middle ground. Basically you are either monitored or not. Having monitoring of a random half of the messages is going to make everyone unhappy.

April 2, 2007 - Fortify Software Documents Pervasive and Critical Vulnerability in Web 2.0

in , ,

April 2, 2007 - Fortify Software Documents Pervasive and Critical Vulnerability in Web 2.0 It looks like, in addition to the privacy risks of voluntarily revealing information through Web 2.0 sites, weaknesses in the most common frameworks will enable malicious attackers to gather even non-public data from these sites.

Web 2.0 generally refers to web sites that are either web applications or are based on community content. In either case they involve the users uploading substantial amounts of possible sensitive personal information to the sites. I predict that a great deal of damage may result from this in the long run.

Report: IRS bungles may imperil data

in , , , ,

As a followup to my discussion of risks of online tax filing, here is an article on security weaknesses at the IRS. Report: IRS bungles may imperil dataIt does not appear that this is particularly connected to online filing, but rather an overall laxness in their security.

Filing your taxes online?

in , , ,

The Motley Fool has a nice blog post on issues involved in electronic filing of tax returns. There are a couple of important points to be made here. First of all...

  • The IRS has all your information and it will be in digital format (accessible by computer);
  • You are exposed to some points of vulnerability when filing electronically, rather than on paper;
  • The information on your PC is vulnerable to theft (whether you send it electronically or just use tax software);
  • Your information is vulnerable on the Internet-accessible servers to which you upload your data; but
  • On the flip side of the coin, paper returns are subject to loss, theft and mishandling as well, both in transit and within the IRS.

It is somewhat similar to using a credit card. You can risk online theft when conducting an e-commerce transaction, or real-world theft when handing over your card to a minimum wage worker over a store counter. Risks exist both ways.

At this time I think the jury is out on which is safer, but, for the record, I file electronically.

More news on Wireless Insecurity

in ,

I was just sent a link to an improved attack on WEP for WiFi. WEP (Wired Equivalent Privacy) is no such thing. Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann at the technical university Darmstadt in Germany have a paper and proof of concept implementation of an improved attack on WEP. This attack should be able to compromise WEP security in under a minute under normal conditions with an inexpensive laptop. In reality over half of deployed wireless nodes have no security enabled at all, so WEP is certainly an improvement on that. A much better solution exists called WPA. It is available on almost all WiFi devices, and should be used wherever possible. While WPA is not perfect, there are no efficient attacks against WPA, however experts are still not confident in its security. If you have a high security application, stick with a wire, and/or use a strong VPN within the WiFI connection. I am a belt and suspenders kind of guy, so I like to use multiple layers of security whenever possible.

Google Changes to Privacy Practices

in

On March 14th Google announced plans to improve their privacy practices by "anonymizing" their logs after 18-24 months. As usual Google is getting slammed for their efforts, despite the fact that no other search engine is making any efforts at privacy at all. I am going to join in, not to pick on Google, but because this affords us a chance to discuss these issues and debate what the policy SHOULD be.

Read More