Russia puts a bounty on Tor's head

July 29, 2014 by lance in Russia, Tor

TorAppLogo The Russian Ministry of Internal Affairs recently announced a contest to create a method to identify Tor users, with a prize of about $114,000.

Clearly the government is worried about the ability of Tor to allow people to bypass the increasingly draconian Internet laws that have been put in place. This puts a big target on Tor, but people have been working on breaking Tor for years. This year a talk at Black Hat on cracking Tor anonymity was pulled without explanation after it was announced and scheduled.

Being free and well established, Tor has the largest user base of any privacy service, so it is the obvious first target. Its distributed design also introduces paths for attack not available in other designs like Anonymizer Universal.

It will be interesting to see if this move drives Tor users to other services, and whether that in turn leads to expanded efforts to crack those tools.

Fancy $110,000? Easy! Just be Russian and find a way of cracking Tor | HOTforSecurity

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

July 22, 2014 by lance in Online Privacy

On Sunday I appeared on The Social Network Show talking about general privacy and security issues. Follow the link below for the show’s post and audio. The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

How genealogy data can lead to identity theft

July 21, 2014 by lance in Identity Theft, Ireland

HiRes

Irish Data Protection Commissioner Billy Hawkes has stepped in to have a database of civil registration records removed from the website IrishGenealogy.ie. The problem is that the database contains information on living persons which is often used for identity verification.

That would include things like mother’s maiden name and birth date. While these are public records, previously they had required payment of a fee, and it was not easily searchable on-line.

Of course, in the era of social media, these kinds of authenticators should have been disposed of long ago. Too many of them can be easily discovered by looking through Facebook accounts and the like.

This case also highlights the troubling nature of public records. In the past records were public in the sense that anyone could go to a government building and access the paper records. They could not be easily be searched as a whole, and the entirety of the records pulled into a private database. This is a kind of security by obscurity, but a useful one. With Internet records, many people are not comfortable with just how public much of this information is. The old inconvenience placed a low but real barrier to data access, effectively insuring that it was only done for specific people and for specific purposes. It is not at all clear how to get that without loosing all the advantages of Internet accessibility.

Personal details removed from site over ‘identity theft’ concerns

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Google unblocked in China after Tiananmen anniversary has passed.

July 11, 2014 by lance in Censorship, China, Google

China open gate

Multiple sources are reporting that Google services are once again available in China. They had been blocked in the lead up to the 25th anniversary of Tiananmen Square protests.

Access to Google services within China returns | Reuters

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

More proof that the web security model is totaly broken

July 08, 2014 by lance in Internet, Security Breaches

Broken cyber lock Fake Google Digital Certificates Found & Confiscated

On July 2, Google engineers discovered unauthorized certificates for Google domains in circulation. They had been issued by the National Informatics Center in India. They are a trusted sub-authority under the Indian Controller of Certifying Authorities (CCA). They in turn are part of the Microsoft Root Store of certificates, so just about any program running on Windows, including Explorer and Chrome, will trust the unauthorized certificates.

The power of this attack is that the holder of the private key to the certificate can impersonate secure Google servers. Your browser would not report any security alerts because the certificate is “properly” signed and trusted within the built in trust hierarchy.

Firefox does not have the CCA in its root certificate list and so is not affected. Likewise Mac OS, iOS, Android, and Chrome OS are safe from this particular incident as well.

It is not known exactly why these certificates were issued, but the obvious use would be national surveillance.

While this attack seems to be targeted to India and only impacts the Microsoft ecosystem, the larger problem is much more general. There is a long list of trusted certificate authorities, which in turn delegate trust to a vast number of sub-authorities, any of whom can trivially create certificates for any domain which would be trusted by your computer.

In this case the attack was detected quickly, but if it had been very narrowly targeted detection would have been very unlikely and monitoring could have continued over very long periods.

As an end user, you can install Certificate Patrol in Firefox to automatically detect when a website’s certificate is changed. This would detect this kind of attack.

On Chrome you should enable “Check for server certificate revocation” in advanced settings. That will at least allow quick protection once a certificate is compromised.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Update: Microsoft has issued an emergency patch removing trust from the compromised authority.

New Russian law requires data to be stored inside Russia

July 08, 2014 by lance in Internet, Russia

Continuing the pattern of Internet restrictions I talked about before, Russia has passed a new law requiring Internet companies to keep the personal data of Russians in data centers within the country. The ostensible reason for this is to protect Russians against US Government snooping (in the wake of the Snowden leaks), and against other outside threats.

The law requires that companies doing business in Russia must open data centers within the borders by 2016 or be blocked.

There are many ways for people motivated to bypass these restriction to access whatever they want, but most people will just use what is available, giving the Russian government more ability to monitor the activities of their citizens themselves.

Russia passes law requiring online personal data to be stored inside its borders | The Verge

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Why Private Browsing Doesn't Exist (and how to fix it)

July 08, 2014 by lance in Anonymity, Guest Post

Thanks to WhoIsHostingThis for providing this informative infographic (click to enlarge). They provide a cool service that allows you to look up the hosting service behind any website.

You might be hacked through your lightbulbs

July 07, 2014 by lance in Security Breaches

Broken smoking lightbulb

A vulnerability in LIFX WiFi enabled light bulbs allowed researchers at Context Information Security to control the lights and access information about the local network setup.

The whole “Internet of Things” trend is introducing all kinds of new vulnerabilities. Because these devices tend to be cheap, don’t feel like tech, and don’t expose much user interface, users are unlikely to secure, patch, or otherwise maintain them.

As these devices proliferate in our networks, we will be introducing ever more largely invisible vulnerabilities, usually without any thought to the consequences.

Security weakness found in WiFi enabled LED light bulb

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 21:

July 01, 2014 by lance in Anonymity, apple, Canada, Censorship, iOS, Iran, Iraq, legal, Mobile, Podcast, Uncategorized

In episode 21 of our podcast for July, I talk about:

A decision giving Canadians more rights to Anonymity
Iraq's recent blocking of social media and more
Iran's outright criminalization of social media
A court decision requiring warrants to access cell tower location data
Another court stating that irrelevant seized data needs to be deleted after searches
A massive failure of data anonymization in New York City
A court requiring a defendant to decrypt his files so they can be searched
The Supreme Court ruling protecting cellphones from warrantless search.
Phone tracking streetlights in Chicago
And a small change for iPhones bringing big privacy benefits

The Importance of Privacy & The Power of Anonymizers: A Talk With Lance Cottrell From Ntrepid — The Social Network Station

June 30, 2014 by lance in Anonymity, Online Privacy, Personal Privacy

The Importance of Privacy & The Power of Anonymizers: A Talk With Lance Cottrell From Ntrepid — The Social Network Station A recent interview I did, talking about data anonymization and mobile device privacy. Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Supreme Court requires warrent for cell phone searches

June 26, 2014 by lance in cellular, legal

Policeman with cellphone In a unanimous decision, the Supreme Court ruled that police must obtain a warrant before searching suspect’s cellphone. Before this, cellphones were treated just like anything else a suspect might carry, including wallet, keys, address book, or various other “pocket litter”.

Police are generally allowed to search suspects for weapons and to prevent the distraction of evidence. Because of the massive amount of storage on a modern smartphone, and its direct connection into so many other stores of data and communications, the court felt that the contents of these devices was qualitatively different and deserving of greater protection.

It is important to remember that the police can still take the phone, and that they can then get a warrant to search it if there is probable cause. They are simply prevented from searching it without the warrant, possibly in the hope (but not expectation) of finding evidence.

This decision may lay the groundwork for according similar protections to cloud stored data, which once would have been kept in the home in hard copy. Law enforcement officials claim that technology is making life easier for criminals and harder for law enforcement. I find that hard to believe and have not seen any really good studies of the matter. If you have, please let me know!

It strikes me that the routine preservation of emails and other communications, along with the massive use of server logged communications from text messages to social media, actually makes things much easier for law enforcement on the whole.

The fact that the decision was unanimous suggests that we may be entering a period of re-evaluating outdated precedents from the pre-internet era.

Some key quotes from the decision:

Regarding treating phones like other pocket litter - "That is like saying a ride on horseback is materially indistinguishable from a flight to the moon,”
On the impact on law enforcement - "Privacy comes at a cost.”
"Cell phones differ in both a quantitative and a qualita- tive sense from other objects that might be kept on an arrestee’s person. The term “cell phone” is itself mislead- ing shorthand; many of these devices are in fact minicom- puters that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, librar- ies, diaries, albums, televisions, maps, or newspapers.”
"The scope of the privacy interests at stake is further com- plicated by the fact that the data viewed on many modern cell phones may in fact be stored on a remote server. Thus, a search may extend well beyond papers and effects in the physical proximity of an ar- restee, a concern that the United States recognizes but cannot defini- tively foreclose.”
"Our answer to the question of what police must do before searching a cellphone seized incident to an arrest is accordingly simple—get a warrant,"

Some Excellent Articles for further reading:

With cellphone search ruling, Supreme Court draws a stark line between digital and physical searches - The Washington Post

Police Need a Warrant to Search Your Cellphone, Supreme Court Says | Re/code

Supreme Court: Police Need Warrants to Search Cellphone Data - WSJ

Note: In the picture above, the policeman is actually just using his own cellphone.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

If you don't admit you won't decrypt

June 25, 2014 by lance in Cryptography, legal

Broken Disk The Massachusetts High Court recently ruled that a suspect can be compelled to decrypt disks, files, and devices which have been seized by law enforcement. The crux of the question before the court was whether compelling the password for decryption is forbidden by the Fifth Amendment protection against self incrimination.

The analogy one most often sees is to being compelled to provide the combination to a safe, the contents of which are subject to a search warrant. That is well settled law, you can be compelled to do so.

The court said:

We now conclude that the answer to the reported question is, "Yes, where the defendant's compelled decryption would not communicate facts of a testimonial nature to the Commonwealth beyond what the defendant already had admitted to investigators." Accordingly, we reverse the judge's denial of the Commonwealth's motion to compel decryption.

In this case, there was nothing testimonial about decrypting the files because the defendant has already admitted to owning the computers and devices, and to being able to decrypt them.

The much more interesting situation will come in a case where the defendants say they never had, or have forgotten, the password. One can not be compelled to do something impossible, but generally the proof of the impossibility falls on the defendant. In this case one would have to prove a negative. How could you prove that you don’t have the password? The only thing that can be proved is that you do, and that only by doing so.

This ruling is only binding in the sate of Massachusetts, but is likely to be influential in cases in other areas.

Massachusetts High Court Permits Compelled Decryption of Seized Digital Evidence | The National Law Review

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Update: It looks like I am wrong about providing the combination to a safe being settled law. Thanks Joey Ortega for setting me straight.

Data anonymization is hard - this time shown with NYC taxi data

June 23, 2014 by lance in Anonymity

Bag on Head One often hears that some massive collection of data will not have privacy implications because it has been “anonymized”. Any time you hear that, treat the statement with great skepticism. It turns out that effectively anonymizing data, making it impossible to identify the individuals in the data set, is much harder than you might think. The reason comes down to combinatorics and structured information.

This article on Medium by Vijay Pandurangan discusses a massive data set of NYC taxies, complete with medallion number, license number, time and location of every pick up and drop off, and more. The key to unraveling it is that there are just not that many taxi medallions, and the numbering structure only allows for a manageable possible number of combinations (under 24 million). While that would be a lot to work through by hand, Vijay was able to hash and identify every single one in the database in under 2 minutes.

Another approach would have been to make a set of known trips, note the location, time, etc., then use that to map the hash to the true identity. More work but very straight forward.

Even harder is the problem of combinatorics when applied to “non-identifying” data. One will often see birth date (or partial birth date) zip code, gender, age, and the like treated as non-identifying. Just five digit Zip-code, date of birth, and gender will uniquely identify people 63% of the time.

A study of cell phone location data showed that just 4 location references was enough to uniquely identify individuals.

This is a great resource on all kinds of de-anonymization.

The reality is that, once enough is collected is is almost certainly identifiable. Aggregation provides the best anonymization, where individual records represent large groups of people rather than individuals.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Update: small edit for clarification of my statement about aggregation.

Chicago to track cell phones with streetlight poles

June 23, 2014 by lance in cellular, Tracking

Chicago Street Sign

The city of Chicago is getting ready to deploy several monitoring stations on light poles along Michigan Avenue. In addition to collecting environmental information like sound volume, light intensity, and air quality, the devices will also count people by detecting wireless signals from passing mobile devices.

The system is designed to only count devices without capturing unique identifiers. While this may be true, it would certainly be easy to change in the future with only a tiny tweak to the software.

This set up looks similar to the tracking trashcans I discussed last year.

Capturing this kind of data is inevitable, and would be invisible if the city had not announced its intentions. The key will be to ensure appropriate protections for collected information, whoever does the collecting. It is refreshing that all of the data captured as part of this project will be published immediately. Assuming nothing is held back that will give a clear sense of exactly what kinds of information can be extrapolated from the raw data.i

Additionally architectural changes like the random MAC addresses in iOS 8 can significantly improve privacy in the face for such monitoring and tracking.

Chicago Tribune - New sensors will scoop up 'big data' on Chicago

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Law enforcement can't keep your seized files forever (anymore)

June 19, 2014 by lance in legal

IStock 000005044123XSmall

The US Second Circuit court of appeals just ruled on a very important case about Fourth Amendment protections for seized computer files. While this ruling is only binding on courts in the 2nd circuit, it will be influential, and we are likely to see this issue addressed by the Supreme Court before too long.

The reality of computer forensics is that investigators start by grabbing everything off the computers they are searching, then look for the specific information specified in the warrant. Generally this is done by making a direct image of the computer’s hard drive. From there additional copies are made so the chain of evidence is clean, and the original image can be shown to be unchanged. It is impractical to try to capture only the targeted information because the volumes are often so large the search must be automated and may take considerable time. Additionally, suspects may have taken steps to try to hide files on the disks.

The upshot of this is that the law enforcement entity now has a great many documents far outside the scope of the warrant. This is where we come to the specifics of the case United States v. Ganias. In 2003 the government searched Ganias’ computers as part of a fraud investigation. As I described, they captured full images of all the computer’s hard drives to 19 DVDs. After competing their searches, they kept the DVDs.

In 2006, they thought Ganias might be involved in tax related crimes, so they obtained warrants to search the DVDs they had in storage for this different set of documents.

The 2nd Circuit ruled to suppress the evidence obtained from that 2006 warrant because the documents searched should never have been seized in the first place.

The ruling recognizes the realities of the search process, and allows for capture of full drive images, and keeping that data for a reasonable time, but specifically forbids keeping it indefinitely as a source of information in future searches. That would completely void the Fourth Amendment which requires that the warrant specify the specific things to be searched.

As a reminder, the full text of the Amendment is:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Thanks to the Washington Post for a more detailed legal analysis: Court adopts a Fourth Amendment right to the deletion of non-responsive computer files - The Washington Post

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Specifics on recent Iraq censorship orders

June 16, 2014 by lance in Censorship, Iraq

3317362 HiRes

Iraq Telecom Ministry Orders ISPs: Kill The Internet in Five Provinces | SMEX: Channeling Advocacy

If this is real, it is an interesting view into the specifics of Internet censorship in Iraq. I find "Block all access to VPN in all Iraq from 4 pm until 7 am on daily basis” particularly interesting.

Just trying to prevent attack coordination at night?

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Iran criminalizes Facebook

June 16, 2014 by lance in Censorship, Iran

Iran has taken the next step beyond censorship to criminalize the use of social media, particularly Facebook.

Iran has long had one of the most strict and effective Internet censorship regimes, but still huge numbers of Iranians were able to skirt the blocking to access social media websites, generally under false names. Actually criminalizing the activity adds a huge chilling effect to those striving for free access to information and speech. Using Facebook is now not just difficult, but also dangerous.

Obviously it is unlikely that someone positing positive messages about Iran, or the mullahs, would be prosecuted. This is a big stick that can be swung at dissidents and any opposition.

Ironically many within the government, including president Hassan Rouhani, have and actively use Facebook and Twitter. Hypocrisy is never lacking in repressive governments.

Iran makes accessing Facebook a crime | VentureBeat | Social | by Richard Byrne Reilly

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Canadian Supreme Court ruling protects on-line anonymity

June 16, 2014 by lance in Anonymity, Canada, legal

IStock 000007822598Small

Canada’s Supreme Court just released a ruling providing some protection for on-line anonymity. Specifically, the ruling requires law enforcement to obtain a warrant before going to an Internet provider to obtain the identity of a user. Previously they were free to simply approach the provider and ask (but not compel) the information.

The judges found that there is a significant expectation of privacy with respect to the identifying information, and that anonymity is a foundation of that right.

Unfortunately the case in question revolves around child pornography, which creates a great deal of passion. Much of the reaction against the decision has come from those working to protect abused children. Because the ruling has implications primarily far from child porn cases, I applaud the court in taking the larger and longer view of the principle at work.

It is important to remember that the court is not saying that the information can not be obtained. This is not an absolute protection of anonymity. This decision simply requires a warrant for the information, ensuring that there is at least probable cause before penetrating the veil of anonymity.

Other analysis: here, here, here.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Law enforcement access to your cell tower location may require a warrant

June 13, 2014 by lance in cellular, Location, Tracking

Antennas on roof

A federal appeals court in Atlanta ruled that there is an expectation of privacy in cell tower location information, and therefor it is protected by the Fourth Amendment. This runs counter to other recent rulings that allow access to the information without a warrant under the Stored Communications Act.

The recent ruling relies on precedent from the 2012 Supreme Court decision in United States vs. Jones which stated that a warrant was required to place a tracking device on a suspects car. Phone records provide the same information, just with a different technical means.

This would not apply to intelligence gathering activities, nor would it prevent access to your location information with a warrant. It is a move to recognize that our personal information, about which we have real privacy interests, is increasingly existing in the networks of third parties. Laws that assume anything sensitive would be on paper and stored in your house or on your person are absurdly outdated.

For now this is only a local precedent. The issue will almost certainly end up in the Supreme Court at some point.