The Library of Congress will publicly archive every tweet ever posted

in ,

For a long time I have been saying that storage is cheap and that one should assume that anything put out on the Internet will live forever. It looks like that is even being institutionalized. The US Library of Congress recently announced that it will be creating a public archive of every tweet sent since the founding of Twitter. This kind of resource will keep tabloids in business for decades to come. Generations of celebrities yet undiscovered should be concerned about their old unguarded, but now professionally preserved, brain droppings.

For the record, I am not opposed to this archiving. It is happening anyway in private databases. This just makes the issue more visible and helps to raise awareness. It is similar in many ways to The Internet Archive project.

Saving Internet Anonymity -- The Struggle is Joined

in , , , , ,

Lauren Weinstein's Blog: Saving Internet Anonymity -- The Struggle is Joined I strongly encourage anyone with a commitment to Internet anonymity to read this blog post. An organized opposition to the existence of such anonymity is growing. Of course, like attempt to clamp down on cryptography, it will only impact the law abiding while criminals use bots and other tools to circumvent the restrictions.

Between this and the push to remove the expectation of privacy from all stored emails, I am very concerned.

Pseudonyms: The Natural State of Online Identity | Privacy Digest

in , ,

Pseudonyms: The Natural State of Online Identity | Privacy Digest This article does a nice job of making a point I have been talking around for some time. The Internet naturally supports pseudonymity, and that is really what we want most of the time. When I talk to someone on-line, I am most interested that I am still talking today with the person I started talking to last month. Whether the name actually corresponds to their birth certificate is not important (and I would not have any idea in a real world encounter either).

Anonymous iPad anyone?

in , , ,

Having just finished initial testing with the actual iPad device, I am pleased to announce that Anonymizer Universal (AU) provides the same level of support on the iPad that we have been providing for the iPhone and iPod Touch! Considering how these devices are going to be used, the combination of privacy along with the security when using insecure WiFi is really critical.

China may have temporarily disabled access to Google

in , , ,

Google Runs Into Chinas Great Firewall - WSJ.com This article reports on an outage experienced by Google users in China. At first Google thought it was due to a technical issue, but now think that it was an intentional outage caused by the Great Firewall of China. It seems likely that this was a retaliation to punish Google for its statements and actions.

Google Stops Censoring in China

in , , , , ,

From the Official Google Blog (follow link for the whole post):

So earlier today we stopped censoring our search services—Google Search, Google News, and Google Images—on Google.cn. Users visiting Google.cn are now being redirected to Google.com.hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong. Users in Hong Kong will continue to receive their existing uncensored, traditional Chinese service, also from Google.com.hk. Due to the increased load on our Hong Kong servers and the complicated nature of these changes, users may see some slowdown in service or find some products temporarily inaccessible as we switch everything over.

I would expect to see China censor Google.cn very quickly (which would prevent the re-direct to Google.hk). It will be interesting to see if China will then take the next step of censoring Google.hk and possibly other Google properties around the world. It would be easy for Google to set up any or all of them to return results in chinese if the browser is detected to be configured in that language.

Schneier on Security: Disabling Cars by Remote Control

in ,

Schneier on Security: Disabling Cars by Remote Control This is just too good. It is a great example of where giving others power over your security, which they then centralize in a single place, leads to compromise with nasty failure modes.

In this case, a disgruntled former employee uses a system to disable over 1000 vehicles.

UK insurer raises rates on social network users.

in , ,

In this article "I don't bleepin' believe it" ComputerWorld reports on a UK insurer raising rates on social network users. The reason points back to something I have been talking about for some time. People post travel information to their social network sites. They say when they will be away from home, and for how long. This is perfect fodder for thieves, who can typically also collect enough information about the posters to identify them and find where they live. This is why I don't blog, Twitter, or otherwise post about conferences I am going to, even though it would be great to use social networks to connect with folks at the conference or in the conference city.

"Anonymizer Universal" product suite launched!

in , ,

I am really excited to announce our new product “Anonymizer Universal” (AU), available starting today. AU represents a totally new architecture for our services. Not only is it more powerful, faster, and much more capable, but it now also supports Mac and iPhone platforms! With one subscription you can use it across any of the supported devices.

Our new solution is VPN based, and bypasses any specific software support issues. AU works with any browser. Any program that connects to the Internet will automatically take advantage of AU. All connections between your computer and Anonymizer are cryptographically protected.

AU continues to leverage our massively scaleable backend infrastructure that provides the anonymity and daily rotating IP addresses.

AU will replace both our “Anonymous Surfing” and “Total Net Shield products”. “Nyms” is becoming all web based and will soon be upgraded with new interface options and better integration.

Expect to see more new capabilities and expanded solutions going forward as the renewed and expanded resources we are devoting to these products bear fruit.

Tor partially blocked in China

in , , , ,

Tor partially blocked in China | The Tor Blog That last article lead me to this post on the TOR blog from September 15, 2009 (I am a bit late to this party). China is now blocking about 80% of the public TOR nodes.

This mostly ends a rather baffling situation where for some reason the Chinese were failing to block TOR even though it was being used effectively for censorship circumvention, the list of nodes is publicly available, and they are no more difficult to block than any other server.

Privacy Network Tor Suffers Breach | Privacy Digest

in , ,

Privacy Network Tor Suffers Breach | Privacy Digest It has been reported, and the TOR folks have confirmed, that two of their core directory servers were recently compromised along with another server showing usage metrics. While it does not at first appear that the attack was aimed at compromising the TOR network, it would certainly have made some interesting attacks possible. Specifically, it looks like it would have allowed attackers to force users on to chains of all enemy run nodes. This is very concerning.

It also brings us the issue of general security of the TOR nodes. Since they are mostly run my volunteers, the security of the nodes is going to be very inconsistent. It is likely that many of them are vulnerable to attack which would give an adversary the ability to control a much larger fraction of the TOR network.

Google human rights accounts attacked from China

in , , , , ,

Official Google Blog: A new approach to China Google is officially stating that a number of email accounts hosted by Google were attacked from within China. The accounts seem to be mostly connected to Chinese human rights activists. They also state that this is part of a larger pattern extending over a number of other companies.

The most amazing thing about this is the very aggressive pro-privacy stance Google is taking in response to this. They are saying that they will stop censoring search results at Google.cn. That they will talk with the Chinese about how to do this, but are willing to completely pull out of operations in China if they can't provide un-censored content from within.

The post is worth reading in full. Here are the concluding paragraphs:

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow. We shall see.

Huge vulnerability in encrypted USB drives

in , ,

NIST-certified USB Flash drives with hardware encryption cracked - The H Security: News and Features Security firm SySS announced (in German) that it has discovered a massive vulnerability in the hardware encryption for USB thumb drives by Kingston, SanDisk and Verbatim. From the article at The H Security it looks like the problem is that all drives share a single symmetric encryption key at the hardware level. The password interface seems to simply do some gymnastics to get access to that key. It does not really matter what it does because SySS was able to intercept the actual hardware key being sent in the clear to the device.

They then simply wrote a little program to just send that key without bothering with the password or anything else. Because all drives by the same maker use the same key, this program can instantly open any encrypted USB drive by that maker.

From the sound of it, this is a very easy attack for someone to duplicate. If you have one of these drives, I would suggest that you treat them as if they were normal un-encrypted thumb drives.

Kudos to Kingston for quickly providing details of which of their drives are affected, and recalling them. SanDisk and Verbatim have issues software fixes. If I understand the attack correctly, I am not sure how a software patch will solve it, so watch this space.

Update on new products

in ,

Our major new product release is now in Beta. We were hoping to release it in late 2009, but the testing has revealed some issues we want to fix first. I am not willing to compromise on the quality or security of our products. The unsatisfactory result of trying to stretch our old framework to work with new operating systems and browsers drove us to this total re-architecture of the solutions. A nice side effect is that the new products will work cross platform (we should launch with Mac, Windows and iPhone), and support many more programs and protocols than the old solutions. It supports all the latest browsers on all supported platforms.

We don't have a firm ship date yet, but we are getting close.

Once Again, Google is in a tricky spot with censorship, this time in India.

in , , , , , ,

Google and India Test the Limits of Liberty - WSJ.com In this case, it is not the search engine, but their social networking site "Orkut" which is the issue. Google's troubles stem less from their actions than the fact that they are the dominant social networking site in India, and so most of those issues happen on that site.

Google has been forced to take down a lot of content, and hand over the identities of many posters. If the examples in the article are to be believed, the threshold for censorship is not high.

At the risk of repeating myself, if you live in India and you want to say something that might push or cross the line, do it with robust anonymity technology. You might still have your post taken down, but they can't come after you.

Google thinks you don't need privacy

in , , , ,

You Have Zero Privacy Anyway -- Get Over It This is a good article by David Adams on OSnews talking about a recent quote by Google CEO Eric Schmidt saying "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." David compares this to a similar and infamous quote by Sun's Scott McNealy.

I think the reality is not that privacy is dead, or unimportant, but that it is hard. Maintaining privacy requires thought and vigilance, now more than ever. Much as I love it, the Internet is the most surveillance enabled and friendly technology ever created.

Question from a long time customer

in , , , , , , , , , ,

A long time customer recently sent in the following question. Since it should be of broad interest, I asked his permission to anonymous post and answer it here.

How do you know that subscribing to an anonymizer does not simply mark you for observation? We all know the NSA is capable of intercepting any electronic communication, and with gajillions of electronic communications happening every second, how would the NSA (or the FBI or the CIA or whoever it is who watches us) know which of those communications to watch? Seems like the people wanting anonymity would be the first on the list. Surely they COULD, couldn't they? That is, get the subscriber lists, which would enable them to intercept communications this side of the proxy - i.e., intercept on the way out, on the way TO the proxy, BEFORE it gets securely tunneled? And no, that would not be possible with the web, but it would with email. Supposedly. This is what has been proposed to me. What do you think? Does it have any validity?

It is certainly the case that the government could, in principle, monitor your access to privacy services. As long as that access is over a strongly encrypted connection, the contents of your communication, what sites you are visiting or who you are communicating with would be protected. The strength of your anonymity is then largely determined by the number of other users of the same service with which your traffic is being mixed.

In the United States, the use of privacy tools is not restricted. Strict separation of intelligence from law enforcement functions should prevent drift net monitoring of your use of Anonymizer from leading to any kind of legal investigation. The huge number of Anonymizer subscribers would also make this difficult and highly visible.

Outside of the US it is another story. Many countries exercise much greater control over the Internet. Even if it were not blocked by the Iranian government, accessing the Anonymizer website from within Iran would be a risky activity. Once again, the key here is safety in numbers. We have run anti-censorship tools in Iran that supported over 100,000 users. With those numbers, it is awkward for the government to go after people simply for using the service. This is not to say that if you are already under observation for some other reason that it would not give them added ammunition. Privacy tools are generally very effective at keeping you below the radar, but can be much less effective once you are on the radar for whatever reason.

The reality is that there is no evidence of widespread Internet surveillance being used in the US to track users of privacy services. As long as the connection to the service is well encrypted, you should be fine.

Social Networkers Risk More Than Privacy | Privacy Digest

in

Social Networkers Risk More Than Privacy | Privacy Digest Here is another story about how bad people can use your social network presence against you. In this case, it is about home burglars using information about travel and vacation plans. This really demonstrates why I have this ambivalent relationship with social networking. On the one hand, I love being able to find and reconnect with old friends. On the other, I feel unable to use more than a tiny fraction of the capability because of the identity theft, privacy, and physical security issues associated with really opening myself to the world.

I even agonize over whether I should only "friend" real friends, so only they can see some of the content on my page. The other option is to accept everyone so analysts can't tell who my real friends are from looking at my network.

In general I have opted out. Even anonymity is a tricky thing in this context. If I go in totally anonymously, then I really get very little benefit from the site. If I try to be anonymous but still connect with friends, the anonymity will be tissue thin and instantly penetrated by anyone interested.

The Proxy Fight for Iranian Democracy - Renesys Blog

in

The Proxy Fight for Iranian Democracy - Renesys Blog This is an article worth reading and understanding. The gist is that the use of proxies to evade censorship in Iran is failing. They are now getting blocked faster than they can be created. This is a basic flaw in the idea of simply deploying a proxy and promoting it. One must assume that the Iranian censors are monitoring the same channels you are trying to use to promote the proxy. After all, a proxy no one knows about is of little use. Public open proxies are similarly doomed because the Iranian censors can use the same discovery tools you do to find such proxies. Also, once you try to let people know about them, the same problem applies as with new proxies.

Distribution of a given proxy address to only a small number of people solves that problem, but it is very limiting. It takes tremendous numbers of proxies to serve a large population, and only those with contacts who have set up proxies are protected.

There are solutions to these problems, but they require substantial technical skills and resources to implement.

If you have contacts within Iran, do what you can to set up closed proxies that they can use to bypass censorship. In the short run, it is an effective action you can take right now. A good place to start would be here.