It is not easy to stay private

in , , , ,

New Sites Make It Easier To Spy on Your Friends - WSJ.com This article does not break any new ground, but does a nice job of listing and discussing a number of tools one can use to gather information on people. They pull from on-line information sources as well as public records for things like criminal history. For employers, it would be a good place to start before hiring someone to do a full background check.The big take away at the end is that you need to make sure you reduce your Internet footprint, specifically by taking care to check the privacy box on many sites, and to simply provide no or false information to others. For example, although I would never provide a wrong age to gain access to a restricted website, I almost never provide my correct birthday because to many other sites (like banks) use that as part of your identity verification. 

China Net Censorship during the Olympics

in , , ,

China won't guarantee Web freedom over OlympicsHere is an interesting article on Internet censorship during the Olympics. Fortunately for visitors, it is easy to set up secure communication links back to the US before going over. VPN links back to a corporate headquarters outside of China can be a very effective conduit around the censorship. While Anonymizer's commercial solutions are blocked in China, our censorship circumvention technologies are very effective within the country.  

Big Announcement

in

I have some exciting news to announce today. Anonymizer is in the process of being merged with Abraxas <www.abraxascorp.com>. I initially started talking with Abraxas about a possible partnership but synergies between the companies were so clear the conversation quickly went from discussions of teaming to discussions of acquisition. Abraxas is a very well respected risk mitigation company with many unique technologies and capabilities. This combination will enable Anonymizer to significantly enhance and broaden its offerings. I am excited by the prospect of rolling out these new capabilities to our users over the next months and years.  This is the start of a new and exciting phase for Anonymizer.Anonymizer will continue to operate independently under the existing management team (including me) as an independent subsidiary of Abraxas. In addition, I am thrilled to be taking a very visible leadership position in Abraxas as their Chief Scientist. This change will have no negative impact on the level of privacy we provide to our users. My personal reputation is and has been closely linked to the ethical behavior and trustworthiness of Anonymizer. Nothing will happen to compromise that integrity.

 

Chinese DOS Attack on CNN called off

in , , ,

CNN to go dark 19 April 2008 1200 GMT according to Chinese Hackers | IntelFusionIn case anyone thinks cyber warfare is a myth, this is more evidence of its reality. It appears that a non-governmental group of Chinese hackers were planning to take down CNN as a protest against their perceived western bias in coverage of Chinese issues. Evidently news of the plans spread too far, and it was called off. 

Every Click You Make - washingtonpost.com

in , , , ,

This article discusses the risk from "deep packet inspection" by ISPs. The article states that at least 100,000 people in the US are being tracked with this technology right now. If true, the impact of this could be huge. Whereas a website can only track you when you are actually visiting that site, your ISP can see all of your activity on any website or other service you use. The idea is that the information collected could be sold to advertisers to better target marketing messages to you. If you had been looking at car sites, you might see more car ads next time you visit an advertising supported website like CNN.com.This is certainly not the realm of science fiction. The Chinese government is already using this technology on a massive scale as part of their national censorship infrastructure. They use it to detect forbidden words and phrases, "Tibet" being at the top of that list right now.Most of us assume that the bad guys are "out there" on the net, and assume that our ISPs are basically just passing our traffic along without looking at it. If they start this kind of inspection, it opens all kinds of additional risks. Once the equipment is there, a rogue sysadmin could tune it to watch for passwords, personal information, bank information, etc. It opens a whole new set of vulnerabilities.Anonymizer's Total Net Shield, and Private Surfing (with full time SSL enabled) provide significant protection against this threat. Both allow you to tunnel your traffic to Anonymizer without the ISP being able to inspect it, other than to see that it is going to Anonymizer.It is shocking to me that this kind of thing should be possible without explicit user consent. Maybe we need a "truth in labeling" law for Internet service providers.  A bottle of Napa Merlot can not be so labeled unless it is from Napa and made from merlot grapes. Similarly, it should not be called an "Internet Connection" if you can't go everywhere (some ISPs are restricting certain perfectly legal protocols). If the ISP is going to spy on you, it should be in big red letters. Maybe I am OK with that, but I certainly have a right to know in advance.

Yahoo posts pictures of wanted Tibetans

in , , , ,

Yahoo and MSN helping to root out Tibetan rioters | The ObserversYahoo China posted pictures of "most wanted" Tibetan protestors on Yahoo! China's home page. Cooperation with lawful process in a repressive country is bad enough, here they are actively collaborating. Yahoo!'s claim that this was done by Yahoo! China, not by the Yahoo! mother-ship, seems disingenuous at best.Active support of censorship and oppression is clearly unethical. If this is not clearly on the wrong side of the line, then what in the world is?

Firewire enables direct hack against any OS

in , ,

Tool Physically Hacks Windows - Desktop Security News Analysis - Dark ReadingI am not sure how this has been true for years, yet has received so little attention. This article discusses the fact that Firewire connections enable direct read and write to a computer's RAM. In many ways, this is even better than the RAM persistence I blogged about a while back. It appears to be easy to write a script that would run on an iPod or other Firewire device which will allow you to grab passwords from memory, bypass login screens, and gain access to the local drive. The amazing thing about the memory access is that it actually bypasses the CPU entirely. Normal security software will not pick this up at all. PCMCIA and Firewire are designed to work this way. It is a "feature" not a "bug". Never the less, it is a huge security issue. If your computer is under the physical control of another person, you are in trouble. Hard drive encryption is the solution, but only if the computer is OFF. If it is on, then the password can be grabbed from memory. There is really no solution to that problem.There are two actions one can take. First, you can physically disable your Firewire capability if you need to leave your computer running unattended. Second, you can make sure you never leave your computer running unattended in an insecure location, and that the hard drive is encrypted securely. This second suggestion is the same solution as for the RAM persistence attack.

Objectionable material of any kind or nature not allowed.

in ,

Web Site Criticizing Quran Curbed - WSJ.comA Dutch lawmaker has a website promoting a short film critical of the Quran. It appears that the site and article are extreme and unreasonable, but what is really shocking is the policy of Network Solutions against "objectionable material of any kind or nature." Most of the interesting thought, literature, and art is objectionable to someone. This is clearly a license to remove anything they want. To me, it is a compelling reason to avoid using Network Solutions.

VoIP: Who Might Be Spying on Your Communications? (Hint — It's Not Just the NSA) - VoIP News

in , ,

VoIP: Who Might Be Spying on Your Communications? (Hint — It's Not Just the NSA) - VoIP NewsThis somewhat simplistic article makes the case that one should not consider VoIP to be a secure replacement for land line phones. It too is vulnerable to a number of governmental and criminal interception attacks.

Swiss bank in Wikileaks case abruptly abandons lawsuit | The Iconoclast - politics, law, and technology - CNET News.com

in , , , , ,

Swiss bank in Wikileaks case abruptly abandons lawsuit | The Iconoclast - politics, law, and technology - CNET News.comIn a follow up to the earlier story, it seems that the judge finally realized the implications of his actions to free speech, and the fact that his injunction was almost completely ineffective. This is a really good thing. If the ruling had stood under appeal and become precedent, it would have significantly changed the Internet landscape.

Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'

in , ,

Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'This is a nice little article arguing against the idea of Brin's Transparent Society as a solution to the privacy problem. I suspect David Brin would object to the characterization of his work as presenting it as a panacea, but many do so argue.Bruce argues that the relative power disparity makes for un-equal results in the two direction of observation. From my perspective, the idea of enabling the public to watch the government surveillance apparatus is completely unrealistic. It would enable our enemies (and as a nation the US does have real enemies) to reverse engineer and avoid our surveillance. The best one can realistically hope for is very rigorous oversight (which has also seemed unrealistic of late).At the same time the spread of cameras, facial recognition, RFID, etc., is rapidly increasing the level of surveillance of the general population. The only place where observation and recording by the people seems to be really effective is in issues of corruption or abuse of power. Rodney King being an obvious (and ambiguous) example. 

Security and Privacy Aren't Opposites

in , , , , ,

What Our Top Spy Doesn't Get: Security and Privacy Aren't OppositesWow, I don't know how I missed this one back last month! I wish I had written this essay. The key point is that privacy is not the antithesis of security. Most of the privacy invading "security" solutions we see are what I call "placebo security" and Bruce calls "security theatre" . Things like the "don't fly list" which appears to catch orders of magnitude more innocents than terrorists, and the national ID card when all the terrorists had legally issued valid ID already.In fact, many measures seriously damage security, like putting personal information in the clear on drivers licenses, including Social Security Numbers in many cases! It is an axiom of security that valuable information will leak and people with access will abuse that access. The more control a government demands, the more  oversight is required. That was my real problem with warrantless wiretapping. Not the wiretapping, but the warrantless. Surveillance of anyone at any time for any reason is the hallmark of a police state. The key is independent oversight. The debate on how that should be done must be open an honest.The security vs. privacy debate seems to me to be built on dishonest assumptions. It tends to be rhetoric and political point scoring on both sides with little discussion of whether the proposed solutions or changes actually improve security, what the real trade off is, and whether that trade is worth while.We are currently being asked to sacrifice enormous amounts of privacy and freedom to confront a threat that is miniscule compared to smoking or drunk driving, threats about which few would make such arguments. 

Finnish government blacklists 'free speech' site.

in , , , ,

Finnish government blacklists 'free speech' site | The Iconoclast - politics, law, and technology - CNET News.comHere is another Declan article that deserves more attention. In this case the Finnish government is censoring a website for publishing a list of websites he discovered to be on a secret censorship black list compiled by the Finnish government. Censoring someone for trying to speak out about censorship is almost always a bad idea. As one might expect, free speech advocates around the world have mirrored the black list so many times and in so many places, it will be just about impossible for the Finnish government to contain the spread. 

Wikileaks domain name yanked in spat over leaked documents | The Iconoclast - politics, law, and technology - CNET News.com

in , , , , , , , ,

Wikileaks domain name yanked in spat over leaked documents | The Iconoclast - politics, law, and technology - CNET News.comDeclan does a really good job here of discussing a fascinating case. WikiLeaks is a Wiki based website designed to enable completely anonymous posting of tips and leaked documents. It is focused around enabling disclosure of information from repressive countries.A US court recently ordered WikiLeak's domain name registrar to disable their domain name because of some documents on the site about questionable off shore banking activities by a group of Swiss bankers.The real shocker here is the draconian action against WikiLeaks prior to the resolution of the claim. It is also ineffective action because WikiLeaks is openly hosted under a number of domains in a number of different countries.I am very interested to see how this story develops and whether the injunction will stand up once the details of the offending materials become clear.

How to physically take a computer without interrupting the power.

in , ,

One of my folks at Anonymizer pointed me towards this site WiebeTech HotPlug as a follow up to my blog post yesterday about recovering data from RAM after it has been removed from power. The HotPlug tool is sold to law enforcement to enable seizure of a computer without ever turning it off. The system has several methods that allow a running computer to be transitioned to a portable UPS system without causing the computer to shut down or react in any way. It can then be transported to a lab with the OS still running.As an additional clever trick, they have a USB dongle called the "Mouse Jiggler" which simulates a mouse making constant small motions, thus preventing a screen saver from ever activating. This allows the attacker to take all the time he needs without worrying about a password protected screen saver, or any other inactivity based security trigger, activating.All this enables the attacker to get the computer back to controlled laboratory conditions before trying to access the machine or pulling the power to capture the RAM image. Yet another argument for not walking away from a running computer with sensitive information. 

An example of the power of social engineering

in , , ,

Here is another article I picked up on the Qui Custodes blog of David Kaufman: Washington City Paper: Cover Story: Desk Job.This article describes a woman, without any special training, who was able to gain access to "secure" government buildings and steal money right from the desks and purses of the employees. Obviously this could have been documents and information if she had been involved with foreign intelligence. Her methods were simple. She was spotted frequently, but very few people were willing to confront her about her actions, choosing to avoid conflict. The moral here is: security is about everyone following up on everything that seems out of place or unusual. Better metal detectors, or bigger guns at the front door won't do it. Security comes from the alert minds of everyone on the inside of the building being willing to ask direct questions.

Whole disk encryption highly vulnerable to physical attack.

in , ,

Center for Information Technology Policy » Lest We Remember: Cold Boot Attacks on Encryption KeysThis  paper provides real experimental data on an interesting attack on computer security. Rather than focusing on cracking keys or breaking cryptosystems, it looks at recovering data and keys directly from computer RAM. The authors show that a computer's RAM can be recovered with few errors several seconds after power has been removed, and that can be extended to several minutes if the memory is cooled well below zero.Squirting the chips with a can of compressed "air" can cool it enough to give you minutes of working time. Plenty of time to drop it in liquid nitrogen, which would give you over an hour with almost zero loss of information.The process for recovering the data from the memory chips is simple and requires no special equipment at all.The big threat here would be in situations where your computer is stolen in a sleep state. The password protection will make it very hard for an attacker to get access to the machine without a reboot, but the attacker has all the time in the world to cool the chips before pulling the power. From a behavior point of view, it says that you should take care to actually turn your computer OFF if it is going to be out of your physical possession, or if there is risk of it being seized without notice. Leaving your computer on and sleeping, but protected with a screen lock, is very risky against a aggressive and technical opponent.Thanks to David Kaufman for passing this along to me. 

Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says Yes

in , , ,

FindLaw's Writ - Colb: Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says YesThis case raises some interesting questions about using cryptography. Not the usual ones about technical attacks, but about how strong crpyto behaves in court. In general, if someone finds an encrypted volume on your computer, is that prima fascia evidence of illegal materials and thus probable cause? Suppose it was called “my plans to kill the president”? In this particular case the defendant actually showed law enforcement people the contents of the encrypted directory, and the files located therein clearly indicated illegal content. That would seem to be his big mistake. The prosecutors are not guessing about the files in there, they know what is there already, and just want access.At the end of the day, the defendant can always decide if the punishment for contempt for not revealing the password is worse than the punishment for what will be found inside. If the contents are really bad, he is best off resisting. I can’t see anyone doing 20 years in jail to compel production of the password.Of course, in that amount of time, computers may be fast enough that brute forcing the password may be trivial. This is a real concern if the statute of limitations for your crime is very long or there is no limitation.