Holder is wrong - backdoors and security can not coexist.

October 01, 2014 by lance in apple, Cryptography, legal

In the article below Attorney General Eric Holder said "“It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy”

This is simply not true, and harkens back to the discredited arguments made by the FBI in the 1990’s about the Clipper Chip. It is hard enough to make secure computing systems, and we are not very good at it as all the breaches demonstrate. Intentionally introducing a vulnerability, which is the essential nature of back door or law enforcement access, is madness. If there is a back door, then keys exist, and can be compromised or reverse engineered. It is an added complexity to the system, which is almost certain to introduce other vulnerabilities. Its use would not be restricted to the US. Once it exists every government will demand access.

Social media and the cloud have tilted the balance of power absurdly towards law enforcement. This argument that they must retain access to encrypted cell phones is fatuous.

Holder urges tech companies to leave device backdoors open for police - The Washington Post

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

2 Apple security fumbles: Random MAC and Password Prediction

September 30, 2014 by lance in apple, iOS, Podcast, Wi-Fi

Apple Store Chicago Apple is getting taken to task for a couple of security issues.

First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.

Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.

https://www.youtube.com/watch?v=ceC9jMIpszI

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebook, Twitter, and Google+.

Apple can't decrypt your phone

September 26, 2014 by lance in apple, cellular, Cryptography, Personal Privacy

IPhone lock screen iOS8 Since it was introduced, Apple has had the ability to decrypt the contents if iPhones and other iOS devices when asked to do so (with a warrant).

Apple recently announced that with iOS 8 Apple will no longer be able to do so. Predictably, there has been a roar of outrage from many in law enforcement. [[Insert my usual rant about how recent trends in technology have been massively in favor of law enforcement here]].

This is really about much more than keeping out law enforcement, and I applaud Apple for (finally) taking this step. They have realized what was for Anonymizer a foundational truth. If data is stored and available, it will get out. If Apple has the ability to decrypt phones, then the keys are available within Apple. They could be taken, compromised, compelled, or simply brute forced by opponents unknown. This is why Anonymizer has never kept data on user activity.

Only by ensuring that they can not do so can Apple provide actual security to it customers against the full range of threats, potentially least of which is US law enforcement.

https://www.youtube.com/watch?v=l236gjtzeTc

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebook, Twitter, and Google+.

Russia accelerates requirement for local Internet control

September 26, 2014 by lance in Censorship, Internet, Russia

Russia whitehouse gate On September 24, the Russian Duma passed a bill moving the date on which all Internet services must host local data locally from Sept 1, 2016 to Jan 1, 2015. That is an effectively impossible timeline for international Internet companies, which is probably the whole point.

While the bill has not been finally passed, the remaining steps are mostly formality.

Russia is suggesting that foreign firms could rent infrastructure, if they will have no time to build, giving Russia even stronger leverage.

My original post on the law was back in July, and I talked about other Russian Internet control and censorship activity here.

https://www.youtube.com/watch?v=FmH4hK05_78

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Security of offshore servers becoming even more illusory.

September 22, 2014 by lance in International, legal, Legislation, Surveillance

If this amendment passes, it will significantly reduce the perceived advantages of using servers outside the US. No only would the server still be subject to whatever legal process exists in the hosting country, but they would also be open to legal hacking by the USG.

Newly Proposed Amendment Will Allow FBI to Hack TOR and VPN Users | Hack Read

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

What is up with those "fake" cell towers?

September 16, 2014 by lance in cellular, Surveillance

HiRes When you think your phone is connected to your wireless provider, you might actually be connected to a rogue tower set up to capture your data.

Such devices have been demonstrated at the Black Hat security conference and a law enforcement fake tower called “Stingray” has been known for some time. Recently sophisticated secure phones have been able to detect these fake towers and people are starting to map them. Popular Science covered it here, and here.

There is very little transparency around law enforcement or US Intelligence use of such devices, so the could just as easily be operated by foreign intelligence services, criminals, or hackers. If we had strong end to end encryption there would be little to worry about, but many Internet connections and all phone calls are vulnerable to this attack.

https://www.youtube.com/watch?v=FR-9A6FVVHk

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

False sense of security "exposes" escort service customers.

September 09, 2014 by lance in Personal Privacy

Hide head behind laptop

In many cases, a false sense of security causes people to put themselves at much greater risk.

The following article describes a “burner” phone service that re-uses the temporary phone numbers. It appears that number a security researcher received was previously used by a sex worker, who’s customers continued to send pictures and messages to the number after it had been re-assigned.

DOH!

Recycled 'burner' number sends sex worker's clients to security researcher | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 23

September 05, 2014 by lance in Anonymity, Facebook, Podcast

In episode 23 of our podcast for August 2014, I talk about:

The absurd alarmism over the new Facebook Messenger App’s privacy settings
Brazil’s move to ban anonymity
How the secrecy of the secret app has been compromised
and finally how Tor users were put at risk by a fake website

SWCAAS - Secret Warrant Compliance as a Service

September 05, 2014 by lance in legal, Online Privacy, Surveillance

FISA court order cropped

Here is a new “as a service” offering I had never considered. Companies are supporting ISPs in responding to classified FISA court search warrants for the ISPs, including helping to capture the data and deciding if the request is proper.

Meet the shadowy tech brokers that deliver your data to the NSA | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

A tale of bad passwords and nude photos.

September 02, 2014 by lance in apple, Cloud, Personal Privacy, Security Breaches

HiRes The Internet is on fire with discussions of the recent release of stolen nude photos of over 100 female celebrities. This is a massive invasion of their privacy, and it says something sad about our society that there is an active market for such pictures. While this particular attack was against the famous, most of us have information in the cloud that we would like to stay secret.

While there is not a definitive explanation of the breach the current consensus is that it was probably caused by a vulnerability in Apple’s “Find My iPhone” feature. Apparently the API interface to this service did not check for multiple password failures, a standard security practice. This allowed attackers to test effectively unlimited numbers of passwords for each of the accounts they wanted to access.

Because most people use relatively weak passwords, this attack is quite effective. Once they gained access to the accounts, they could sync down photos or any other information stored in iCloud.

Of course, the first rule of secrecy is: If it does not exist, it can’t be discovered.

If you do want to create something that you would be pained to see released publicly, then make sure you keep close control of it. Store it locally, and encrypted.

Wherever you keep it, make sure it has a strong password. Advice for strong passwords has changed over time because of the increasing speed of computers. It used to be that fancy pneumonics would do the trick but now the fundamental truth is: if you can remember it, it is too weak.

This is particularly true because you need to be using completely different passwords for every website. Changing a good password in a simple obvious way for every website is obvious. It might prevent brute force attacks but if some other attack gives access to your password, the attacker will be able to easily guess your password on all other websites.

You need to be using a password manager like 1Password (Mac), LastPass, Dashlane, etc. Let the password manager generate your passwords for you. This is what a good password should look like: wL?7mpEyfpqs#kt9ZKVvR

Obviously I am never going to remember that, but I don’t try. I have one good password that I have taken the time to memorize, and it unlocks the password manager which has everything else.

UPDATE: There appears to be some question about whether this vulnerability is actually to blame.

Cosplay for Privacy!

September 02, 2014 by lance in Anonymity, Online Privacy

Secret Identity All The Best Dragon Con Cosplayers Fighting For Online Privacy

In a brilliant campaign, IO9 and the EFF is having cosplayers pose with pro-anonymity, pro-privacy, and pro-pseudonymity signs. See the whole set here. The most popular seems to be “I have a right to a Secret Identity!”.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Attacks On Anonymity Conflate Anonymous Speech With Trollish Behavior | Techdirt

August 26, 2014 by lance in Anonymity, Internet

Troll and laptop

Attacks On Anonymity Conflate Anonymous Speech With Trollish Behavior | Techdirt

It turns out that people say nasty things under their real names, and people also say valuable things anonymously.

Shocking!

It is amazing how often I see respected academics and other thinkers get incredibly sloppy in their reasoning when it comes to anonymity. They frequently assume correlations for which they have no evidence, and propose solutions with no consideration of the consequences.

I appreciate the rational perspective in articles like this.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Anonymity is only as stong as the group you are hiding in

August 22, 2014 by lance in Anonymity, Internet, Personal Privacy, Security Breaches, Social Networking

Unknown known

Your Anonymous Posts to Secret Aren’t Anonymous After All | Threat Level | WIRED

This article describes a clever attack against Secret, the “anonymous” secret sharing app.

Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.

In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Brazil enforcing ban on Anonymity

August 20, 2014 by lance in Anonymity, Censorship, International

A Brazilian court is enforcing a constitutional ban on anonymity by requiring Apple and Google to remove Secret, an anonymous social network chatting app from their app stores. Microsoft is being required to remove Cryptic, a similar windows phone app. In addition to that, they have been ordered to remove the app from the phones of all users who have installed it. These kinds of retroactive orders to have companies intrusively modify the contents of all of their customer’s devices are concerning. At least these apps are free, if users had paid for them, that would introduce another complication.

One wonders how this will apply to tourists or business travelers visiting Brazil. Will their phones be impacted as well?

The law exists to allow victims of libel or slander to identify and confront their those speakers.

While this ruling only applies to Apple, Google, and Microsoft, and only with respect to the Secret and Cryptic apps, the underlying principle extends much further. There are still final rulings to come, so this is not the last word on this situation.

Anonymizer has had a great many Brazilian customers for many years. Anonymizer provides those users important protections which are well established in international human rights law. We certainly hope that they will continue to be allowed to use our services.

Brazil Court Issues Injunction Against Secret And Calls For App To Be Remotely Wiped | TechCrunch

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Facebook Messenger alarmism is distracting from real Internet privacy issues

August 11, 2014 by lance in Facebook, Mobile, Online Privacy, Stupidity

FacebookMessenger nouveau logo

The Internet is on fire with outrage right now about the security warnings in the Facebook Messenger app. The furor is based on the viral spread of a post on the Huffington Post back in December of last year. The issue has come to the fore because Facebook is taking the messaging capability out of the main Facebook app, so users will have to install the Messenger app if they want to continue to use the capability.

The particular problem is with the warnings presented to users when they install the app on Android. Many articles are describing this as the “terms of service” but the warning are the standard text displayed by Android based on the specific permissions the app is requesting.

Here are the warnings as listed in that original the Huffington Post article:

Allows the app to change the state of network connectivity
Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Malicious apps may cost you money by making calls without your confirmation.
Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.
Allows the app to record audio with microphone. This permission allows the app to record audio at any time without your confirmation.
Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.
Allows the app to read you phone's call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.
Allows the app to read data about your contacts stored on your phone, including the frequency with which you've called, emailed, or communicated in other ways with specific individuals.
Allows the app to read personal profile information stored on your device, such as your name and contact information. This means the app can identify you and may send your profile information to others.
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
Allows the app to get a list of accounts known by the phone. This may include any accounts created by applications you have installed.

This strikes me as more an inditement of the over broad requests for permissions by apps in Android than any particular evil intent on Facebook’s part. Obviously many of these things would be very bad indeed, if Facebook actually did them. After significant searching I have not seen any suggestion at all that Facebook is or is likely to do any of these things without your knowledge.

Many articles are ranting about the possibility that Facebook might turn on your camera or microphone without warning and capture embarrassing sounds or images. Doing so would be disastrous for Facebook, so it seems very unlikely.

After reviewing the actual Facebook privacy policies and terms of service in the Messenger app, I don’t see any sign that these actions would be permitted but of course Facebook does have the right to change the policies, basically at will.

Don’t take from this that I am a Facebook apologist. Anyone looking back through this blog will see many cases where I have criticized them and their actions (here, here, here, here for example). There are major problems with the amount of data Facebook collects, how they collect it from almost everywhere on the Internet (not just their website or apps), and their privacy policies. I have turned off location tracking for the Messenger app on my iPhone because I don’t want Facebook tracking that.

However….. Facebook is not going to start turning on your camera at night to take naked pictures of you! There is a lot about privacy on the Internet to worry about, lets stay focused on the real stuff rather than these fantasies.

"The Big Hack, or maybe not..." — The Social Network Station

August 11, 2014 by lance in Interview, Security Breaches

"The Big Hack, or maybe not..." — The Social Network Station

On Friday I was asked to come on The Social Network Show to talk about the fact and questions surrounding the theft of over 1 Billion passwords.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 22

August 03, 2014 by lance in Podcast

Welcome to episode 22 of the Privacy Blog Podcast for July, 2014.In this episode I will talk about:

A recent revealed compromise of the Tor anonymity system
Why Canvas Fingerprinting both is and is not a big deal
The coming conflict between US searches and EU privacy
How even genealogy information can compromise your identity
An update on Chinese censorship
Why the security model of the web is hopelessly broken
Russia’s continuing crackdown on the Internet
and finally how Lightbulbs, among other things, can
compromise your network

Canvas Fingerprinting: a reality check

July 31, 2014 by lance in Tracking

Fingerprint to binary

The Internet is buzzing with discussions about a new kind of tracking called Canvas Fingerprinting. In fact, the technique goes back to a paper by Mowery and Shacham back in 2012. Canvas Fingerprinting gets most of its information from the hardware and software used to render images on a given computer. When asked to render a geometric curve or a modern font to the screen, the system has many decisions to make in the process of turning that into the brightness and color values of the pixels in the image. The technique for creating the Canvas Fingerprint is to give the browser a somewhat complex image to render, capture the actual pixel values produced, which is then hashed down to make the actual fingerprint.

Canvas Fingerprinting is really just another technique for capturing information about a user’s computer as part of a larger system fingerprint. I have been talking about tools like Panopticlick which take all kinds of different information they can see about your computer’s configuration to try to create a unique identifier. Testing my computer right now it says that my browser fingerprint contains at least 22 bits of entropy and is unique among the roughly 4.3 million users they have tested so far. Panopticlick uses information about the browser, operating system, time zone, fonts, plugins, and such to create the identifier.

By comparison, Canvas Fingerprinting contains on average 5.7 bits of entropy meaning that about one in 52 people on the Internet would have the exact same fingerprint. That makes it a lousy identifier on its own.

The real power of this new technique is in combination with other fingerprints like those used in Panopticlick. By combining the two there is about 27.7 bits of entropy which would identify me to one in 218 Million people. Once of the strengths of Canvas Fingerprinting is that it captures very different kinds of information than many other methods. For example, because a windows machine comes with a whole bunch of fonts installed, knowing that a computer is running windows immediately tells you a lot about the fonts. The two bits of information are hight correlated. The Canvas Fingerprint mostly gives information about the graphics subsystems. Knowing the operating system does not tell you very much at all about the specific chipset or firmware in the graphics processor, they are mostly independent.

So, in short Canvas Fingerprinting is not that big a deal, and folks should not get so worked up about it, however system fingerprinting in general IS a big deal. It is now good enough to allow individual users to be tracked even if they are deleting all their cookies and hiding their IP addresses with tools like Anonymizer Universal. System fingerprints are not identifying in the same way an IP address is, but they do allow a person to be recognized when they revisit a website, or a cooperating website.

Current best practice to minimize System Fingerprint based tracking (including Canvas Fingerprinting) is to run the browser inside a clean and un-customized virtual machine, which you then revert back to the clean state at the end of every use. That will give your browser a maximally generic identifier, while also eliminating all other kinds of tracking techniques.

Showdown: US search warrants vs. EU Privacy laws

July 31, 2014 by lance in EU, Internet, legal

EU Flags photo

A New York district judge has ruled that Microsoft must comply with US search warrants for emails stored in European data centers. The argument is that as a US company, Microsoft is subject to the order, and because it has control of its European subsidiary which in turn has control of the data center in Europe, it should therefor comply.

This will put Microsoft, and many other US Internet companies, in a tricky place. The EU data protection laws are being expanded to explicitly bar EU subsidiaries of US companies from sending data outside the EU for law enforcement or intelligence purposes.

This also further undermines confidence in the security and privacy of data held by US Internet companies.

Microsoft ordered to hand over overseas email, throwing EU privacy rights in the fire | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Attack on Tor may have exposed hidden services and more.

July 30, 2014 by lance in Anonymity, Security Breaches, Tor

TorAppLogo Tor just announced that they have detected and blocked an attack that may have allowed hidden services and possibly users to be de-anonymized.

It looks like this may be connected to the recently canceled BlackHat talk on Tor vulnerabilities. One hopes so, otherwise the attack may have been more hostile than simple research.

Tor is releasing updated server and client code to patch the vulnerability used in this attack. This shows once again one of the key architectural weaknesses in Tor, the distributed volunteer infrastructure. On the one hand, it means that you are not putting all of your trust in one entity. On the other hand, you really don’t know who you are trusting, and anyone could be running the nodes you are using. Many groups hostile to your interests would have good reason to run Tor nodes and to try to break your anonymity.

The announcement from Tor is linked below.

Tor security advisory: "relay early" traffic confirmation attack | The Tor Blog

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.