spider.io is talking about a bug they discovered in Microsoft Internet Explorer versions 6-10. Evidently the bug allows tracking of your mouse movement even if the browser window has been minimized and you have a different application active.
They say that at least two companies providing display ad analytics are already using this exploit to improve their analysis.
OUCH! Yet another good reason to use any browser but IE.
It looks like Syria is back on the Internet again.I have not seen any indications of unusual atrocities the, so why the short outage?
Fast Company has a good article laying out the state of events regarding the Internet in Syria.
Here is the short version. Syria has changed tactics from keeping the Internet available but highly monitored and surveilled, to turning off apparently absolutely all Internet connectivity within the country.
Syria was unique in its cyber response to their Arab Spring uprisings. Rather than lock down the Internet, they actually un-blocked some popular social media sites. They did this because of the incredible surveillance capabilities this makes possible. Business Week has a nice story on this aspect.
The change of face would seem to have a few possible reasons.
1) Dissident tactics like encryption are making the surveillance less effective.
2) The damage from dissident publishing is greater than the value of the intelligence.
3) The Syrian government is about to do something really nasty and they want to make it very hard to report about it.
We shall see. The fact that the Syrian government appears to have turned off even its own Internet access suggests that they are worried about any leaks through the wall, which makes reason 3 seem more probable.
Welcome to our November 2012 podcast. In this episode, I’ll be talking about the tactics websites use to charge one customer more than a customer in a different city, state, or country. After that, I’ll discuss the dangers of using the Internet while on the road - as many of you are likely to do this holiday season. Don't miss our video showing how your Facebook account can be compromised on an unsecured connection. Follow this link to Anonymizer's site and select 'Video 2'.
Download the transcript here.
Dictionary apps post false piracy confessions on Twitter - Crave
The Oxford Deluxe dictionary app requests access to your twitter account when it is installed. In some cases it then uses that account to post hundreds of identical tweets saying that you will pledge to stop pirating software.
It is not exactly clear what criteria the software uses, but obviously there is a lot of backlash going on.
Another argument for taking great care about what applications and services you allow to take control of your social media accounts.
Google Transparency Report shows government surveillance, takedown requests are up.
The number of information requests coming to Google from governments around the world is growing fast. It is up 55% for the first half of 2012 vs. the first half of 2010. The linked article has some nice graphs showing the trend.
It is interesting to note that the US leads the world with over a third of the total requests, followed by India then Brazil.
The other even faster trend is in takedown requests. Since they are s search engine, not a host, this is really pure censorship. It is up 88% between the first half of 2011 and the first half of 2012. That is a true hockey stick. A lot of it appears to be trying to suppress criticism of government or government activities.
The more such information is gathered, the more important it is to take control of your own personal privacy.
EU officials 'hacked' at Azerbaijan Internet Governance Forum | ZDNet
It appears that the laptops of two EU officials at the Internet Governance Forum in Azerbaijan got hacked while they were in the hotel.
Suspicion is immediately falling on the Azerbaijan government.
No one is mentioning breaking and entering, so I would assume they were attacked via the insecure Internet in the hotel.
From Declan's article on CNET.
The fight over the "do not track" flag continues.
In the latest version of Internet Explorer (version 10), Microsoft has made "do not track" the default setting. This makes tracking by websites an "opt in" rather than an "opt out" proposition. Privacy advocates have long favored this approach, but advertisers don't like it.
Yahoo feels so strongly about this that they say that they will ignore the Do Not Track (DNT) flag when coming from IE 10 browsers. The open source Apache web server is also going to come configured to ignore the IE 10 DNT flag.
So, even if you explicitly want Do Not Track, and would have gone in and manually enabled it, you will be tracked by Yahoo anyway.
Ironically, this means that if you actually want to not be tracked, you need to use a different browser and manually enable the setting.
I do appreciate the effort Microsoft, and shame on you Yahoo.
Choice, an Australian privacy group, has released a paper on how to avoid geo-blocking and price discrimination against Australians.
Their research has shown that prices, especially on IT purchases, are significantly higher for Australians than Americans, even before considering shipping costs.
Using a VPN based privacy service like Anonymizer Universal allows Australians (or anyone else) to use a US IP address to get the best prices.
Welcome to Anonymizer’s inaugural episode of The Privacy Podcast. Each month, we'll be posting a new episode focusing on security, privacy, and tips to protect you online. Today, I talk about non-technical ways your online accounts can be compromised, focusing on email address and password reuse, security questions, and using credit card numbers as security tokens. In part two, I give power user tips for getting the most out of your Anonymizer Nyms account.
Hope you enjoy the first episode in our monthly series of podcasts. Please leave feedback and questions in the comments section of this post.
Download the transcript here
The Washington Post has a good article on social engineering attacks. It is a good treatment of the topic.
Short answer, humans are the weak link, and can be defeated with extremely high probability.
The take away from this whole thing is that we need to be building security systems that don't rely on humans not being tricked into compromising their own security. A lot of security architects take a "blame the victim" stance. User's have other things to worry about than security. We need to make sure security happens even if they are not paying attention to it.
Despite all the work on dual factor authentication and other new security methodologies, in general our passwords are the keys to the kingdom.
In many cases, such at ATMs, we are limited to 4 digit numeric PINs.
This post to DataGenetics does a good job of analyzing how bad we are at picking PINs and how easy we make things for the attackers.
It is worth a read.
Short answer: you can hack a over 10% of accounts by guessing "1234".
The New Scientist has an article on the FBI's Next Generation Identification (NGI) program.
It started out as a project to replace the old fingerprint database, but will now include biometrics, DNA, voice prints, and facial recognition.
The idea is to database all the mugshots so people can be quickly identified after arrest, or possibly so surveillance video could be compared to the database to identify possible suspects.
Obviously lots of civil liberties issues here, but still a very long way from the paranoid hollywood inspired rantings about real time global surveillance with integrated biometrics.
NBC News is reporting that the iOS UDIDs leaked last week were actually stolen from Blue Toad publishing company. Comparing the leaked data with Blue Toad's data showed 98% correlation which makes them almost certainly the source.
They checked the leaked data against their own after receiving a tip from an outside researcher who had analyzed the leaked data.
It is certainly possible that this data had been stolen earlier and that, in tracking that crime, the FBI had obtained the stolen information. This strongly suggests that this is not a case of the FBI conducting some kind of massive surveillance activity.
The other possibility is that Anonymous and Antisec are simply lying about the origin of the information as part of an anti-government propaganda campaign.
Either way, it is a big knock on their credibility, unless you think this whole thing is just a conspiracy to protect the FBI.
In the tradition of Jonathan Swift's "A Modest Proposal" is "The Dictator's Practical Guide to Internet Power Retention, Global Edition".
Under the pretext of being a guide on how to crack down on Internet dissent for dictators, it does a nice job of analyzing how the Internet is used by dissidents, and the techniques used by governments to crack down on those practices.
Thanks to boingboing for bringing this to my attention.
YouTube's anti piracy filters automatically blocked the authorized video of First Lady Michelle Obama's convention speech as infringing.
Evidently the algorithm automatically looks for content that matches content from their commercial partners. Since all the networks were re-broadcasting the convention speech, it got flagged. This is not the first time this has happened.
Forbs is reporting that Anonymous and Antisec have dropped a file with a million Unique Device ID (UDID) numbers for Apple iOS devices. They claim to have acquired an additional 11 million records which they may release later.
In addition to the identifiers, the file is said to also contain usernames, device names, cell numbers, and addresses. It is this additional personal information that seems to be the real threat here.
The Next Web has set up a tool for checking to see if your information is in the leaked data. You don't need to enter your full UDID into the field, just the first 5 characters. That way you don't need to trust them with your information either.
None of my iOS devices showed up on the list, so I downloaded the entire file to look it over. You can see the release and download instructions here.
Looking through the document, I don't see any examples of particularly sensitive information. In the first field are the claimed UDID. The second field is a 64 digit hex string. After that is the name of the device, frequently something like "Lance's iPad". Finally is a description of the device itself: iPad, iPhone, iPod touch.
SHA hashes are 64 hex digits long, and are widely used in forensics to verify that captured evidence has not been changed. My intuition is something like that is what we are seeing in that second column.
I have no idea where the claims about addresses, and account names came from. I am not seeing anything like that.
It is interesting that Anonymous / Antisec claim that this data came from the hacked laptop of an FBI agent. This certainly raises big questions about why he would have this information on his laptop, and why the FBI has it at all.
While 12 million is a big number, it is a tiny fraction of the over 400 million iOS devices sold to date. Still, that would represent a shockingly wide dragnet if these are all being monitored in some way by law enforcement.
Of course, for all we know this list was captured evidence from some other group of hackers.
So, short answer (too late!), you probably don't have anything to worry about here, but you might want to check to see if your device is in the database anyway.
UPDATE: It appears that the UDID may tie to more information that was immediately apparent. While Apple's guidelines forbid tying UDIDs to specific account, of course that happens all the time. My friend Steve shared a link with me to an open API from OpenFeint which can tie a UDID to personal information. Certainly there are others which would reveal other information. The existence of these, and the leaked list of UDIDs would allow an app developer to tie a user's real identity to their activity and use of the app on their iOS device.
UDATE 2: I find it impossible to actually read documents from Anonymous and Antisec, they are just so poorly written. It seems I missed their statement in lines 353,354 of the pastbin where they say that they stripped out the personal information. The 64 digit block is actually the "Apple Push Notification Service DevToken". SCMagazine is reporting that the FBI is denying the laptop was hacked or that they have the UDIDs.
I have recently seen chatter suggesting people are confused about my thinking and allegiances on various privacy issues. First, a few core beliefs that form the axioms underlying my actions and positions.
I believe that:
So, these basic tenants lead me to take the following opinions:
Individuals need the ability to robustly protect their privacy when engaging on-line. While not all areas of the Internet are appropriate for anonymity (I really want my bank to make sure it is me accessing my accounts), anonymity / pseudonymity should be an option in most social spaces on the Internet.
Not only are most websites not inclined or incentivized to help you be anonymous, but the very structure of the Internet encourages detailed logging such that creating anonymity friendly systems is quite hard.
All providers of privacy services are fundamentally saying “trust me and I will protect you.” Any claims about how a service works rely on the operator to have actually implemented the system as claimed. At the end of the day this is only backed up by the reputation of the operators of those systems. Choose wisely.
Criminals and other “hostiles” are indiscriminate in their use of technologies. They will use the best tool for any job. The Internet is no exception to this rule. While there is a long history and extensive precedent for plain clothes and under cover police and intelligence activities in the meatspace, the same is not true for cyberspace. Yet, the same need applies. If one is trying to engage with a criminal on the Internet, doing so as a law enforcement officer, from known law enforcement IP addresses is going to imperil the investigation at the very least.
What does this mean for me and how I comport myself?
I have chosen to very publicly back the Anonymizer.com privacy services with my personal reputation. I have been active in the personal privacy space since I started running anonymous remailers as a grad student in 1992. I have been creating new privacy services since I wrote Mixmaster in 1993. I created the “Kosovo privacy project” during the Kosovo conflict to enable people in the country to report on atrocities going on. I have provided multiple anonymity and anti-censorship tools for the Chinese and Iranian people, protecting hundreds of thousands of their citizens against their own country. Human rights and free speech are passions of mine. Anonymizer.com itself has protected countless numbers of users of its services. In all that time there has never been a case where we have violated the privacy assurances we have made to our customers. This is not because we have not been tested. Anonymizer is regularly subpoenaed for information on our customers’ activities. Compare this to a relative newcomer “HideMyAss.com.” They, as it turns out, did keep logs and were compelled to compromise the privacy of a member of LulzSec. There are numerous examples of TOR exit nodes monitoring and even altering traffic. With a much longer and weightier track record, you will find no such incidents with Anonymizer. It is logically impossible to prove a negative, but our history speaks volumes. Anonymizer will never provide a back door or violate any of our privacy assurances while my name is attached to it. Reputation is hard to earn and easy to squander. It is my personally most valuable asset.
Law enforcement and other government entities need anonymity and pseudonymity tools too. In their cases the people trying to pierce the veil are often much more motivated, skilled, funded, and resourced, than those tying to identify ordinary individuals. It is not practical, reasonable, or desirable to have these groups simply ignore the Internet in the scope of their responsibilities I have been involved in the creation and operation of numerous tools to enable such organizations to do their jobs on-line as they do off-line. In working with these people I have discovered that they are “people.” They hold diverse opinions about privacy and anonymity. Many are personally closely aligned with my beliefs. They are also tightly constrained by legal limitations on what they can do. Watching my U.S. government customers struggle with their legal departments to do even the simplest and most innocuous activities, while very frustrating, makes me sleep much better at night.
While there have certainly been times when the U.S. Government has overstepped its authorities, they are rare, and we know about these because they came out. The diversity of people in these organizations makes any of the grand conspiracies I see discussed on the Internet absurd on their face. Secrets are either known by very few people and thus limited in scope, are reasonable to just about everyone who all agree they should be kept secret, or will get leaked or blown in some way.
Some users of my personal / consumer privacy services see themselves as in opposition to some or all of my corporate or government users, and vice versa. I think both are important and I protect the anonymity of all of my customers equally. There is no “crossing of the streams.” None of my customers get any special insight into the identities or activities of any of my other customers. As above, there are no secrets like that which would last very long, and it would destroy my reputation.
Honor, reputation, and a man’s word being his bond may be very old fashioned ideas these days, but they carry great weight with me. I hope this clarifies where I stand.
If you have been reading this blog for a while, you have probably noticed the new look.
I would appreciate feedback and please do let me know if we have broken anything in the process.
Forbs recently noticed that Facebook suddenly and basically without warning made @facebook.com your default visible email address on your timeline.
I had no idea that such an email address even existed! I certainly don't check it explicitly. Emails to that address end up in your standard Facebook messages queue, which for me is mostly a black hole.
LifeHacker has a nice article on how to change the settings back to how you might want them.
You may not want some spammer to get that address and start filling up your Facebook messages queue.