The Anonymity Experiment | Popular Science

in , ,

The Anonymity Experiment | Popular ScienceThis is an interesting article on trying to live in the modern world without leaving any digital footprints. It is nice to see they suggested Anonymizer, unfortunately they got the facts completely wrong. They suggest that anyone could run an Anonymizer proxy, and that those people could be monitoring traffic. That is true of the TOR network, but not of Anonymizer. We own and operate all of our own servers and networks, for exactly that reason. 

Script attack for capturing your browser history

in , ,

This page < Bookmark button test page > contains a nice demonstration of the ability to retrieve your surfing history from your browser. In this case, it looks for any social bookmarking sites you many have visited in the past. Obviously this could be extended to look for any other sites you might have visited. For example, this would enable an attacker to target phishing attacks at you based on the bank websites you actually visit. This shows once more the doubled edged sword of browser functionality. The scripting capabilities make possible such things as Google Docs but also enables this kind of attack. They go hand in hand. The more power you give to the scripting language the more opportunity there is to abuse that power.

Ireland to start broad data retention

in , , , ,

It looks like the trend towards wide spread retention of traffic analysis data is spreading to Ireland, one of the last holdouts in Europe. If you want to be protected from this kind of data gathering, you need to take proactive precautions. From the SANS institute:To satisfy the requirements of a European Union (EU) directive,Ireland will begin retaining records of its citizens' emails and Internet chats. While the content of the communications will not be retained, records of the IP addresses of the participants, the time and date of the communication, and the physical size of the message would be stored. The plan would take effect within one month through a statutory instrument in lieu of introducing legislation in Parliament because the country has received notice from the EU that it is three months overdue in implementing a data retention plan. A civil liberties organization has voiced its opposition to the plan as well as the way in which it is being implemented.The group maintains that law enforcement officials will be permitted to access the retained data without court orders or warrants.

Fragile Anonymity

in ,

 Bruce Schneier, in Crypto-Gram: January 15, 2008, writes an excellent article on the ease of re-identifying "anonymized" data. The Census, research results, survey results, and many other databases are released with identifying information removed with the intent to protect the identity of the subjects in the database. It turns out that it is disturbingly easy to attach the real identities again.

A question of identity

in , , , ,

This article What's In A Name at Design Observer, Steven Heller argues against the use of pseudonyms and anonymity in blogs. He states, but never really argues, that pseudonyms are:

  1. Cowardly
  2. Deceitful
  3. Unacceptable

Despite the fact that I blog under my real name, few may find it surprising that I disagree with his claims. In this age where every word we post will last well beyond our years on earth, one should take great care about posting anything under a real name. I hold very different opinions now than I did when I was young. I would not want to have those thoughts thrown back in my face. Many bloggers hold opinions that run counter to those of their employers. Making strong arguments that might be detrimental to ones employer could well be a "career limiting move". The fear of such retaliation is often much worse than the reality. The chilling effect on speech can be significant. Far from being cowardly, I argue that pseudonymous blogging is simply prudent in many cases.That pseudonyms are deceitful would seem to apply to only a very small subset of bloggers, those who are using a pseudonym that appears to be real but is not and which is masking a true identity that, if known, would significantly color a readers interpretation of the blog. In other words, where the choice of the pseudonyms is made with an intent to deceive. The vast majority of pseudonyms I have seen used are obviously such. There is no doubt that the author is using a pseudonym. The desire to speak from behind a mask is completely overt. In addition to security and privacy concerns, one may well choose to do this to allow the writing and arguments to stand on their own, completely apart from the identity of the writer. For example, in a forum on Israeli / Palestinian  issues, the ethnicity of a posters name is likely to completely overshadow the content of the message. A pseudonym allows the reputation of the blogger to be developed on its own. If the arguments and information are sound, the reputation with grow. Because names are not unique identifiers, the use of a real name (or apparently real name) in a blog may give an unrealistic sense of attribution.I completely support the right of people to create spaces where people must be identified. It is their right to do so, and is completely appropriate and reasonable. It is unreasonable and inappropriate to suggest that this should be imposed on the entire Internet and all communications therein. 

Disparate national laws trample privacy expectations

in , , , ,

Israel recently forced Google to hand over the identity of a blogger. Declan McCullagh wrote a good post covering the facts of the case. This case illustrates one of the problems caused by the international nature of the Internet. A message, article, or blog post you write (completely legally) in your country, may subject you to prosecution and punishment in another. I am not thinking here of obvious and major crimes such as fraud, child pornography, etc. (and even these are not universally criminal), but rather of more subtle speech and thought crimes.In the United States, the "truth" is an absolute defense in liable cases, while in the UK it is not (lawyers in the audience, please correct me if I am in error here). Denial of the holocaust  is protected first amendment speech in the US but not in much of Europe. Personal sharing of copyrighted materials is legal in many countries, but not the US. Think cartoons of Mohammed, the Satanic Verses, the secret teachings of the Scientologists, pictures of Burmese protests, publishing of Cryptography software. Each of these is legal in some countries and not in others.How can anyone know if their words or actions might be illegal in some country somewhere in the world. 

Free Secure Email Certificates Secure Email Certificate Email Security Digital Email Signatures

in

Free Secure Email Certificates Secure Email Certificate Email Security Digital Email SignaturesUsing email encryption is often a complicated and painful process. These days strong SMIME based encryption is built in to almost all major email clients. The cost and complexity of  obtaining the necessary cryptographic certificates is the biggest obstacle to wide spread use at this point. Sites like Comodo make the process easier. While the security model is not perfect, any reasonable application of crypto and certificates will vastly improve the general security of email.

US drafting plan to allow government access to any email or Web search

in , , ,

The Raw Story | US drafting plan to allow government access to any email or Web searchNational Intelligence Director Mike McConnell is developing new policies for Internet intelligence gathering. It looks like the changes may be very broad and deep. I worry that this kind of change often has significant impacts on civil liberties while providing minimal improvements to our security.Bad guys have any number of ways of protecting their communications and activities. It is the innocent Internet user that will be caught in this bigger and tighter net. 

Consumer Advocates Seek a ‘Do-Not-Track’ List - New York Times

in , ,

Consumer Advocates Seek a ‘Do-Not-Track’ List - New York TimesThis idea of a "do not track" list is very interesting but also very problematic. Right off the bat is the problem of how a website would know NOT to track you. If the default is that you be tracked, you would need to pass some kind of token to every website that you wish not to track you. This would probably be a cookie, which would would be vulnerable to deletion every time a user clears her cookies. It also puts the responsibility on the user to keep track of all the websites which might track her information and maintain that preference across all of them.This is very different from the phone number based "do not call" list, where the marketer can check against a list of numbers they should not call. In this case, the user hits the website out of the blue, and the website needs to work out whether to track or not. One solution would be for there to be some kind of universal identifier that all websites could check against the list, but this is certainly replacing one kind of tracking with a much worse kind.This could all be avoided if the default was set to "do not track" and users could opt in. Of course, almost no one would bother to opt in to the targeted tracking. This is a problem because it is exactly this kind of targeted advertising that makes so many free Internet services possible right now. Without ad targeting the advertising revenue would likely be too low to make the services viable. As usual, I am in favor of the user controlled opt out of privacy technology, without requiring the consent or support of the tracking websites. If you don't want to be tracked, tools exist (like Anonymizer) to prevent that tracking. Just use them.

Steroid bust shows Feds can still get at "private" and "secure" e-mail

in

Steroid bust shows Feds can still get at "private" and "secure" e-mail

It appears that Hushmail was able to turn over cleartext emails to the government when presented with a court order. This points out the importance of understanding the security model of the security tool you are using. For example, secure web pages (SSL protected) only protect the data as it moves between your browser and the remote web server. It does nothing at all to protect the data once it arrives.

Incorrect assumptions about a security model can lead you to take actions that you might not otherwise. This can put you at significant risk. Many solutions are very robust against specific threats while offering no protection at all against other threats. Understanding what is and is not protected by a solution is critical BEFORE you actually start to use it to protect important information.

Yahoo scolded for helping China imprison dissident - MSN Money

in

Yahoo scolded for helping China imprison dissident - MSN Money Yahoo! was taken to task in a congressional hearing for handing over information to the Chinese government that lead to the imprisonment of a dissident reporter. There is certainly much that could be said about standing up to oppressive governments and the risks of locating infrastructure in such countries.

I think one of the most important lessons to take away is to take more personal responsibility for your own security and privacy. Information collected by the services we all use is archived almost indefinitely. Today the problem may be China, but who knows which government may turn oppressive over the next 10 years. Even the US government has a history of witch hunts.

Internet users must be proactive about their security. Tools exist to enable people in China to use the Internet freely without any censorship or monitoring. Anonymizer provides such a service free to Chinese users. A number of other organizations do the same. Encryption, anonymity, and privacy tools can largely de-claw the modern police state, but only if they are used consistently.

Comcast really does block BitTorrent traffic after all | The Iconoclast - politics, law, and technology - CNET News.com

in

Comcast really does block BitTorrent traffic after all | The Iconoclast - politics, law, and technology - CNET News.com Here is another example of the fallacy of "The Internet" as a single entity. In many ways the Internet is like a hologram. What you see depends on where you are. Many web sites will charge higher prices to you if you are coming from certain countries or certain zip codes. In this case, certain kinds of communications simply don't work if you are a Comcast customer.

The problem here is really informed consent, or false advertising. Users of Comcast reasonably assume that if they buy an "Internet" connection, they will get a connection to "the Internet". I think most reasonable people would assume this to include the use of any Internet applications or protocols which are not behaving in an illegal or abusive way. Comcast has been very closed mouthed about their actual policies for what and when they block access to services or content.

The fact that competition for broadband in many markets is more theoretical than real makes this particularly concerning.

Online privacy? For young people, that's old-school - USATODAY.com

in , , ,

Online privacy? For young people, that's old-school - USATODAY.com Being over 35, I fall in to the "old-school" category described in this article. While I have presence on a number of social networking sights I have been very stingy with the information I have posted there. I think the root cause of the high risk behavior on these sites is in the way they are used. People treat them as an extension of in person, phone, and text message communications. It is just one more mode of communication. Unfortunately this mode of communication has some significant differences. The most important is that it is generally very public, searchable, and archived. It is almost impossible to take something back once it makes its way out on to the net.

As a high school or college student, it may be cool to show the dark side of your personality and not to care what people think. 5-10 years later when you are looking for a job with a high level of trust, requiring a clean reputation, the historical artifacts floating out on the web may turn out to be a real disadvantage.

It may turn out one day that our culture comes to understand this trend and ignores youthful indiscretions memorialized on the Internet, but I would not want to bet my future on that level of forgiveness.

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

in , , , , , ,

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise In a follow up to this post I wrote a few weeks ago, we now understand how the 1000 government email accounts were compromised. It turns out that he did it using TOR.

I have said for a long time that I am amazed that any one operates TOR servers other than government people and criminal/terrorist people. As the operator of a TOR server, you have access to the clear text of the data flowing through your server when you are the exit node (about 1/3 of the traffic typically). While the TOR documentation is clear about this vulnerability, it really understates it, and does not address what you should do about communicating with public services that do not provide an option to do end to end encryption of the information.

As a user of TOR, you are trusting the operators of the servers not to monitor your information. Dan Egerstad's attack was simply to violate that trust. He actively monitored all of the traffic through his 5 TOR servers. He ran multiple servers to increase the amount of data he could collect. He identified the government accounts by searching the captured data for simple strings that would indicate the message was an email being sent or received in the clear, then further searching for key words that would indicate is was government or military related.

Many other TOR servers could currently be searching for financial, medical, trade secret, or other information.

With any privacy service, you need to trust the operators of that service. The theory was that you would not need to trust the operators of the TOR network. The reality is that, in real world use, you do have to trust them, but you typically know very little about them. There is almost no hurdle to establishing a new TOR server. Just about anyone with access to a server can set it up as a TOR server. You must assume that many of those people will not have your best interests at heart.

My personal approach is to work with people with a long track-record of trustworthy behavior. Anonymizer has been providing services for almost 12 years. I personally have been operating privacy services since 1992. In that time I have protected millions of people and billions of web pages and emails. Our track record for integrity is long and unblemished. I think that is the kind of basis one should use for deciding who to trust.

Yahoo seeks to dismiss China case - Yahoo! News

in , , , , ,

Yahoo seeks to dismiss China case - Yahoo! News This is a really interesting legal case. Yahoo was sued in the US by people representing some Chinese journalists who were convicted in China of violating Chinese law. Yahoo's involvement was to provide evidence from their logs and stored account data. The argument is that Yahoo should have resisted more and provided less information under US and International laws.

The people working for Yahoo in China are in a tough place because they could easily be arrested and held in contempt for failing to comply. Widespread corruption in China would almost certainly lead to extra-legal consequences for Yahoo if they resisted.

One might well criticize Yahoo for designing their systems in such a way as to be vulnerable to such foreseeable attempts to gather information on journalists and dissidents.

I think it is a mistake to trust such potentially damaging information to any company like Yahoo, Google, AOL, etc. International law will be a cold comfort if you are sitting in a jail somewhere. The only real solution is to take control of your own information. Use encryption, and anonymity to ensure that your information can not be handed over.

Hacks hit embassy, government e-mail accounts worldwide

in , , ,

Hacks hit embassy, government e-mail accounts worldwide

Usernames and passwords for more than 100 e-mail accounts at embassies and governments worldwide have been posted online. Using the information, anyone can access the accounts that have been compromised.

I am not sure how much needs to be said about this. In general email security is very lax. People often forget just how much information lives in their email accounts. Especially when using Exchange or IMAP type email, all of your old email archives will be compromised if your account is breached. When you consider all of the file attachments most of us get every day, there is probably little sensitive information any of us handle that is not contained in those email archives.

Germany wants to spy on suspects via Web

in , , , , ,

Germany wants to spy on suspects via Web Germany is proposing to use trojan horse software to enable surveillance of target computers. I have to wonder how effective this will actually be. They are talking about distributing it in an apparently official email from a government email address.

  1. Now that the bad guys know this, it seems likely that they will take more care with the attachments from the government.
  2. Anti-virus / anti-malware programs should be able to identify and block this software
  3. If the anti-virus software makers are convinced to leave a hole for this software, it will be a huge back door for other hackers to use to deploy their trojan horse software.

In general this seems like a high risk operation for the Germans. I suspect that it will be used rarely and very selectively.

E-voting predicament: Not-so-secret ballots | CNET News.com

in , ,

E-voting predicament: Not-so-secret ballots | CNET News.com Once again it is proved that security and anonymity are not as simple as they look. In this case an E-Voting system enables anyone to recover the actual votes of every voter, by name. This system eliminates any privacy in the voting process.

The implications for vote buying, and retribution by family, employers, and others, are huge.