Protect your security from ISPs stripping email encryption

Cricket Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.

It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection.

The ISP can easily modify the data stream to remove the request, causing your computer to connect without any encryption. According to the standard, the user is supposed to get a warning about this, but in practice almost all software just fails silently.

The best way to protect yourself against this attack is to encrypt your email end to end. You can use SMIME, which is built into most email clients, or GPG. GPG can be stronger, but it is harder to use, and easy to misuse. Either will significantly improve your security.

The next step is to use a VPN like Anonymizer.com to protect you against your ISP. It will also protect you against anyone else in the path between your computer and your VPN service. Unfortunately between them and the destination server, you are still vulnerable to any hostile ISPs.

https://www.youtube.com/watch?v=aHtVjZJxO_Q

[powerpress]

Some other articles on this attack: Arstechnica, & The Washington Post

Also read:

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on FacebookTwitter, and Google+.

Dropbox and bad password hygiene

Empty Cardboard Box The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.

GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.

If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.

The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.

The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.

https://www.youtube.com/watch?v=XS7cyv_4o8A

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

SWCAAS - Secret Warrant Compliance as a Service

FISA court order cropped

Here is a new “as a service” offering I had never considered. Companies are supporting ISPs in responding to classified FISA court search warrants for the ISPs, including helping to capture the data and deciding if the request is proper.

Meet the shadowy tech brokers that deliver your data to the NSA | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Cosplay for Privacy!

Secret Identity All The Best Dragon Con Cosplayers Fighting For Online Privacy

In a brilliant campaign, IO9 and the EFF is having cosplayers pose with pro-anonymity, pro-privacy, and pro-pseudonymity signs. See the whole set here. The most popular seems to be “I have a right to a Secret Identity!”.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Facebook Messenger alarmism is distracting from real Internet privacy issues

FacebookMessenger nouveau logo

The Internet is on fire with outrage right now about the security warnings in the Facebook Messenger app. The furor is based on the viral spread of a post on the Huffington Post back in December of last year. The issue has come to the fore because Facebook is taking the messaging capability out of the main Facebook app, so users will have to install the Messenger app if they want to continue to use the capability.

The particular problem is with the warnings presented to users when they install the app on Android. Many articles are describing this as the “terms of service” but the warning are the standard text displayed by Android based on the specific permissions the app is requesting.

Here are the warnings as listed in that original the Huffington Post article:

  • Allows the app to change the state of network connectivity
  • Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Malicious apps may cost you money by making calls without your confirmation.
  • Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.
  • Allows the app to record audio with microphone. This permission allows the app to record audio at any time without your confirmation.
  • Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.
  • Allows the app to read you phone's call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.
  • Allows the app to read data about your contacts stored on your phone, including the frequency with which you've called, emailed, or communicated in other ways with specific individuals.
  • Allows the app to read personal profile information stored on your device, such as your name and contact information. This means the app can identify you and may send your profile information to others.
  • Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
  • Allows the app to get a list of accounts known by the phone. This may include any accounts created by applications you have installed.

This strikes me as more an inditement of the over broad requests for permissions by apps in Android than any particular evil intent on Facebook’s part. Obviously many of these things would be very bad indeed, if Facebook actually did them. After significant searching I have not seen any suggestion at all that Facebook is or is likely to do any of these things without your knowledge.

Many articles are ranting about the possibility that Facebook might turn on your camera or microphone without warning and capture embarrassing sounds or images. Doing so would be disastrous for Facebook, so it seems very unlikely.

After reviewing the actual Facebook privacy policies and terms of service in the Messenger app, I don’t see any sign that these actions would be permitted but of course Facebook does have the right to change the policies, basically at will.

Don’t take from this that I am a Facebook apologist. Anyone looking back through this blog will see many cases where I have criticized them and their actions (here, here, here, here for example). There are major problems with the amount of data Facebook collects, how they collect it from almost everywhere on the Internet (not just their website or apps), and their privacy policies. I have turned off location tracking for the Messenger app on my iPhone because I don’t want Facebook tracking that.

However….. Facebook is not going to start turning on your camera at night to take naked pictures of you! There is a lot about privacy on the Internet to worry about, lets stay focused on the real stuff rather than these fantasies.

The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

Standard Profile PictureOn Sunday I appeared on The Social Network Show talking about general privacy and security issues. Follow the link below for the show’s post and audio. The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

7 Conundrums of the Right to be Forgotten

Digital Eraser

The recent ruling by the European Court of Justice (ECJ) has re-ignited debate about the “right to be forgotten”, or perhaps more accurately the right to have certain information purged from the Internet. While this right provides some real privacy benefits, it runs up against free speech and jurisdictional problems.

Here are seven conundrums around the right to be forgotten and the recent ECJ ruling:

  1. The ECJ ruling provides for removing search results, but not for removing the underlying web page. In the case in question, a newspaper article is allowed to stay on-line, but a search on the plaintiff's name must not return a link to that page.
  2. While the search result would be removed when the search is the person’s name, other searches for the information would show that link.
  3. The ECJ does not give you a right to remove anything harmful or embarrassing to you, only information “inadequate, irrelevant or no longer relevant, excessive in relation to the purposes of the processing”
  4. You don’t have a right to have certain information forgotten if that is newsworthy and noteworthy. In other words, if this was likely to be searched for by a lot of people, then you can’t remove it.
  5. The ECJ ruling only applies to EU residents . If you are outside the EU, or using a search engine outside the EU then you don’t have this right.
  6. The ECJ ruling only applies to search engines operating in the EU. If the search engine is exclusively operating outside the EU, or is being accessed from outside the EU, then the search results would still be visible. This means that you would get the search results if you were using Anonymizer Universal from within the EU.
  7. The tools and laws used to enforce the right to be forgotten are very similar to the techniques used for censorship by repressive regimes. Once in place, the urge to use the power more broadly has been irresistible to governments that obtain it.


Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebookTwitter, and Google+.

Would you take $8 / month to expose yourself online?

Flasher man Startup Datacoup Will Pay You $8 a Month If Your Feed It Data from Facebook, Twitter, and Your Credit Card | MIT Technology Review

We have seen interesting experiments and studies where researchers have looked at what people are willing to pay to protect their privacy.

This then would be the opposite experiment. A company called Datacoup is offering people $8 per month to give them access to all of their social media accounts, and information on their credit and debit card transactions.

You certainly can’t fault them for being covert about their intentions. They are saying very directly what they want and offering a clear quid pro quo.

I don’t think I will be a customer, but it will be very interesting to see if they can find a meaningful number of people willing to make this deal.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Can the market drive privacy protections?

Study: Consumers Will Pay $5 for an App That Respects Their Privacy - Rebecca J. Rosen - The Atlantic

This is refreshing. Some evidence that most people ARE actually willing to pay for privacy. If the market shows that this is a winner, we might start to see more privacy protecting applications and services.

The real question is whether invading your privacy generate more revenue than what we are willing to pay to be protected.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Would you sell your privacy for $20 per month?

AT&T thinks that Austin, TX residents will sell their on-line privacy for less than $20 per month. AT&T is launching a service called U-verse with GigaPower, which will provide 300Mbps of bandwidth to the home initially, increasing to 1Gbps in 2014. The cost of the service is $99 per month, but they have a special offer.

If you sign up for the Premier plan you can get the service for $70 per month. Additionally a bunch of setup and install fees are waived and you get free HBO. If you follow the footnote on the offer, you will see that Premier is only available if you agree to participate in the “AT&T Internet Preferences” program.

This invites AT&T to monitor your Internet usage to better profile you and so more effectively target ads at you.

GIGAOM reports that AT&T says "we will not collect information from secure (https) or otherwise encrypted sites, such as online banking or when a credit card is used to buy something online on a secure site. And we won’t sell your personal information to anyone, for any reason.”

I am pleased that they are not doing active man in the middle attacks on customer encryption, but that is a very very low privacy hurdle.

So, is $20 per month enough for you to allow AT&T to monitor, record, and monetize everything you on the Internet? Let me know if the comments.

Of course, if you use Anonymizer Universal for all of your on-line activity, there is nothing for them to see.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 13: Adobe, Russia, the EU, Experian, Google, Silk Road, and Browser Fingerprinting

Welcome to episode 13 of our podcast for September, 2013.In this episode I will talk about: A major security breach at Adobe How airplane mode can make your iPhone vulnerable to theft Russian plans to spy on visitors and athletes at the winter Olympics Whether you should move your cloud storage to the EU to avoid surveillance Identity thieves buying your personal information from information brokers and credit bureaus How to stop google using your picture in its ads Why carelessness lead to the capture of the operator of the Silk Road And how Browser Fingerprinting allows websites to track you without cookies.

Please let me know what you think, and leave suggestions for future content, in the comments.

Apparently Open WiFi is actually private

An important decision just came down from the Federal 9th Circuit Court of Appeals about whether Google can be sued for intercepting personal data from open WiFi networks. The intercepts happened as part of the Street View program. In addition to capturing pictures of their surroundings, the Street View vehicles also collect GPS information (to correctly place the pictures) and the MAC addresses (unique hardware identifiers), SSIDs (user assigned network names), and until 2010 they captured some actual data from those networks. The purpose of the WiFi collection is to provide enhanced location services. GPS drains phone batteries quickly, and the weak signals may be unavailable indoors, or even under and significant cover. Nearly ubiquitous WiFi base stations provide another way of finding your location. The Street View cars capture their GPS coordinates along with all of the WiFi networks they can see. Your phone can then simply look at the WiFi networks around it, and ask the database what location corresponds to what it is seeing. WiFi is often available indoors, has short range, requires much less power, and is generally turned on in any case. Google claims that capturing the actual data was an accident and a mistake.

Unfortunately that data contained usernames, passwords and other sensitive information in many cases. A lawsuit was filed accusing Google of violating the Wiretap Act when it captured the data. There is no suggestion that the data has been leaked, misused, or otherwise caused direct harm to the victims.

The ruling was on a motion to dismiss the lawsuit on the grounds that Google’s intercepts were protected under an exemption in the Wiretap Act which states that it is OK to intercept radio communications that are “readily accessible” to the general public. The Act specifically states that encrypted or scrambled communications are NOT readily accessible, but the decision hangs on exactly what IS readily accessible. The court ruled that WiFi did not count as “radio” under the Act because several types of radio communications were enumerated, and this was not one of them. They then considered this case under the umbrella of “electronic communications”, which also has an exemption for readily accessible communications. On that, they decided that open WiFi is not readily accessible.

From a privacy perspective, this is good news. It says that people who intercept your information from your open WiFi can be punished (if you ever find out about it). This would clearly prevent someone setting up a business to automatically capture personal and marketing data from coffee shop WiFi’s around the world. It is less likely to have any impact on criminals. I am concerned that it will also lead to a sense of false confidence, and perhaps cause people to leave their WiFi open, rather than taking even minimal steps to protect themselves.

The hacker / tinkerer / libertarian in me has a real problem with this ruling. It is really trivial to intercept open WiFi. Anyone can join any open WiFi network. Once joined, all the the data on that network is available to every connected device. Easy, free, point and click software allows you to capture all of the data from connected (or even un-connected) open WiFi networks. If you are debugging your home WiFi network, you could easily find yourself capturing packets from other networks by accident. They are in the clear. There is no hacking involved. It is like saying that you can not tune your radio to a specific station, even though it is right there on the dial.

I think peeping in windows is a reasonable analogy. If I am standing on the sidewalk, look at your house, and see something through your windows that you did not want me to see, that is really your problem. If I walk across your lawn and put my face against the glass, then you have a cause to complain.

Open WiFi is like a window without curtains, or a postcard. You are putting the data out there where anyone can trivially see it. Thinking otherwise is willful ignorance. All WiFi base stations have the ability to be secured, and it is generally as simple as picking a password and checking a box. You don’t even need to pick a good password (although you really should). Any scrambling or encryption clearly moves the contents from being readily accessible, to being intentionally protected. If you want to sunbathe nude in your back yard, put up a fence. If you want to have privacy in your data, turn on security on your WiFi router.

I think that radio communications are clearly different than wired. With radio, you are putting your data on my property, or out into public spaces. There is no trespass of any kind involved to obtain it, and we have no relationship under which you would expect me to protect the information that you have inadvertently beamed to me. It would be like saying that I can’t look at your Facebook information that you made public because you accidentally forgot to restrict it. 

Similar to provisions of the DMCA, which outlaw much research on copy protection schemes, this is likely to create accidental outlaws of researchers, and the generally technical and curious.


The Privacy Blog Podcast – Ep.11: Lavabit & Silent Circle Shutdown, Hoarding Bitcoins, and “Spy” Trash Cans in London

Welcome to Episode 11 of The Privacy Blog Podcast, brought to you by Anonymizer. In this episode, I’ll discuss the shutdown of secure email services by Lavabit and Silent Circle. In addition, we’ll dive into the problem with hoarding Bitcoins and how you can protect yourself while using the increasingly popular online currency. Lastly, I’ll chat about whether teens actually care about online privacy and an ad agency’s shocking decision to use high-tech trash cans to measure Wi-Fi signals in London.

Please leave any questions or feedback in the comments section. Thanks for listening.

Teens are not the no-privacy generation after all

Report: Teens Actually Do Care About Online Privacy -- Dark Reading

I keep hearing people say that young people today don't care about privacy, and that we are living in a post privacy world. This is clearly not the case.

Teens share a lot, maybe much more than I would be comfortable with, but that does not mean that they share everything, or don't care about where that information goes.

A new report from the Pew Research says that over half of teens have avoided or un-installed a mobile app because of privacy concerns. This is a sign that they are privacy aware and willing to do something about it.

Teens almost always have something that they want to hide, if only from their parents.

Lavabit and Silent Mail shutdowns

There has been a lot of chatter about implications of first Lavabit and then Silent Circle's Silent Mail being shut down by their operators.

In both cases, it appears that there was information visible to the services which could be compelled by search warrants, court orders, or national security letters.

I want to assure Anonymizer users that we have no such information about Anonymizer Universal users that could be compelled. While we know who our customers are, for billing purposes, we have no information at all about what they do.

This has been tested many times, under many different kinds of court orders, and no user activity information has ever been provided, or could be provided.

The Privacy Blog Podcast – Ep.10: Storage Capacity of the NSA Data Center, Royal Baby Phishing Attacks, and how your SIM Card is Putting you at Risk

Welcome to Episode 10 of The Privacy Blog Podcast, brought to you by Anonymizer. In July’s episode, I’ll be talking about the storage capacity of the NSA’s data center in Utah and whether the US really is the most surveilled country in the world. Next, I’ll explain why the new royal baby is trying to hack you and how your own phone’s SIM card could be putting your privacy at risk.

Lastly, I’ll discuss the current legal status of law enforcement geolocation, Yahoo!’s decision to reuse account names, and  some exciting Anonymizer Universal news.

As always, feel free to leave any questions in the comments section. Thanks for listening!

Law Enforcement Back Doors

Bruce Schneier has a great post on issues with CALEA-II.

He talks about two main issues, with historical context.

First, about the vulnerabilities that automated eavesdropping backdoors always create in communications, and how that disadvantages US companies.

Second, about the fact that law enforcement claims of communications "Going Dark" are absurd given the treasure trove of new surveillance information available through social media, and cloud services (like gmail).

I know I have talked about this issue a lot over the years, but I am shocked that I can't find any posts like it on this blog.

Bruce does it really well in any case.

Why California’s Suggested 100 Word Privacy Policy is the Best Worst Idea

A guest post by Janelle Pierce who enjoys writing about various business issues, and spends her time answering questions like, "what is point of sale"?  

Just last month California’s Assemblymember Ed Chau (D-Alhambra) introduced a bill that would require the website privacy policy of any company located in California to be no more than 100 words long, and written at the reading level of an 8th grade student.

While Chau’s practice what you preach 64-word bill has garnered a lot of negative press lately, one thing is for certain; it has gotten people talking about something most people don’t talk about, the privacy policy. For those who don’t know what a privacy policy is, it’s simply the legal document that every website must have. According to Wikipedia.org a privacy policy is:

“A statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to but including; name, address, date of birth, marital status, contact information, ID issue and expiry date, financial records, credit information, medical history, where you travel, and intentions to acquire goods and services.”

Whenever you register a username on a website, whether for free e-mail, picture sharing, or social networking, you must agree to the site’s established privacy policy. Generally speaking most users simply click “accept” without ever reading, much less understanding, what is written in the privacy policy. This is often because site privacy policies are long, written in confusing legalese, and often overshadowed by the false assumption that a site with a privacy policy will keep your data private. While I do agree that ultimately the responsibility for reading and understanding the privacy policy lies with the users of a site, the same can be said about those who write and present the policy.

Which brings me to the point I’d like to make, that is, I think Chau’s idea to force privacy policies to a maximum of 100 words, and require that they’re written at an eighth grade reading level, is a good one. However, I do feel it has a few drawbacks that almost invalidate its ability to be credible. First, requiring that a legal document be 100 words or less is a little short sighted. Don’t get me wrong, I think the thought behind making this otherwise lengthy, unreadable, and downright obnoxious (yet important) document accessible to everyone is a great goal, but requiring 100 words or less doesn’t offer a company the chance to disclose everything they need to disclose. I think a maximum word count should be required, but there is no reason it needs to be so low.

Second, I think requiring an 8th grade reading level is an excellent idea. Too often these policies are chalked full of legal words and phrases that even college educated users cannot make sense of. That being said, I think Chau’s attempt at “rewriting” the privacy policy is a good one, albeit a little short sighted. Like many things in life that we’ve put up with for too long the privacy policy is definitely in need of an overhaul. However, trying to shore up its lacking all at once and in such an aggressive manner may not be the right approach. There’s no doubt that something needs to be done about the state of the average privacy policy, but rushing headlong into it so aggressively tends to alienate people who would otherwise be supporters of Chau’s intention.

For help creating a privacy policy you can contact a business lawyer or simply use an online privacy policy generator.

Do you read privacy policies or simply click “accept”? Share your thoughts below.

Do you have a right to be forgotten

The right to be forgotten is a topic discussed more in Europe than in the US. The core question is whether you have a right to control information about yourself that is held and published on the Internet by third parties.

This includes social media, news sites, discussion forums, search engine results, and web archives.

The information in question may be true or false, and anything from embarrassing to libelous.

 

Often discussions about removing old information center on calls for Google to remove information from their search results. I think they are chosen because they are the dominant search engine, and people feel that if the information is not shown in Google, then it is effectively gone. Of course, search engines are really just pointing to the actual data, while generally lives on some other website.

Being removed from Google does nothing to the existence of the information, nor would it impact indexing of that information by other search engines.

 

Even if you get the hosting website to remove the information, there are many organizations like archive.org who may have copied and archived the information, thus keeping it alive and available.

Here are some examples of information that you might want removed.

  • Racist rantings on an old social media site to which access has been lost.
  • Drunk party pictures on a friend’s social media account.
  • Newspaper articles about dubious business activities.
  • Court records of a conviction after the sentence has been completed.
  • Negative reviews on a review website.
  • Unflattering feedback on a dating website.

 

In many of these cases, your “right to be forgotten” runs directly into another person’s “right to free speech”.

 

My thinking on this is still evolving, and I would welcome your thoughts and feedback. Right now I think that the free speech right trumps the right to be forgotten except in specific situations which need to be legally carved out individually; things like limitations on how long credit information should be allowed to follow you. Of course, the problem will be that every country will draw these lines differently, making enforcement and compliance very difficult, and leading to opportunities for regulatory arbitrage.

 

We are already seeing this in the EU. While most of the EU is moving towards codifying a right to be forgotten, the UK is planning to opt out of that.