Thursday, February 25, 2010

Lawful Surveillance

For those interested Cryptome.org has published a series of internal manuals used by companies such as Facebook, Microsoft, AOL, and others that document how these companies work with law enforcement agencies to retain and transmit data about persons of interests. In light of ou discussion of the Shadow Factory and our discussion of government surveillance in general I thought these manuals would interest many of you.

Check out cryptome.org for links to the manuals.

Tuesday, February 23, 2010

Block all Drive-By Download Exploits

In the interest of arming students with tools and techniques to protect themselves from malicious software Id like to discuss the imminent arrival of BLADE - short for Block all Drive-By Download Exploits.

BLADE appears to be similar to Sandboxie - another tools Ive discussed in the past. Phil Porras, a Program Director for the project from SRI International, states that BLADE acts as a sandbox for the browser and prevents malware from being written to the hard drive.


Although the BLADE project team has not yet released the tool, it has published interesting statistics gathered during the testing of the software. To date BLADE has tested 5579 Drive-By Exploits from 1318 unique malicious URLs. According to these statistics, users running Microsoft Internet Explorer were successfully compromised 43.9% of the time.

Further, the Adobe Reader plug-in was successfully compromised 56.8% of the time.
The most disconcerting statistic is that Anti-Virus software failed to detect 72.8% of these exploits.

Sunday, February 21, 2010

Batman FTW

This is in no way related to class. I just found the cartoon really amusing.


Image courtesy http://ffffound.com/.


Friday, February 19, 2010

My Kind of Privacy Policy

As we've discussed in class most users fail to read or understand the privacy policy of the various social networks and websites they visit. In many cases these privacy policies are written in opaque and dense legalese. Users have grown accustomed to these impossibly confusing privacy policies and as result routinely ignore them.

Im happy to report a pleasant surprise. While signing up for the new online service Backupify.com I took a moment to examine the websites privacy policy. It was shocking in its clarity.

Backupify's privacy policy is as follows:

Backupify is a strong supporter of online privacy and individual rights. We only collect data necessary to run the service effectively. Any data you store on Backupify is yours. We claim no rights to it. We don't look at it, we don't sell it, we don't analyze it, or anything else. Below are some specific questions we get and answers to them.

What information is collected about me?
We only collect data you provide us at sign-up. We do not ask for any other personal information. We do not collect data without your knowledge.

How do you use collected information?
We don't use it at all. The only thing we collect and monitor is general patterns of storage and service usage so that we can make sure our architecture is optimized for speed and scalability.

What security measures do you use to protect my privacy?
Any information we have about you is stored with strong encryption.

Will my information be shared with others?
No. Your information will not be shared with anyone, except in cases where information may be subpoenaed by law.

Wow. Thats pretty straightforward. I can only hope that other online service providers follow Backupify's lead and re-write their privacy policy in such clear terms.

For those interested, Backupify is an online service provider that provides an in the cloud backup service for your online accounts like Facebook, GMail, etc.

School Spies Students Through Their Laptop Cameras

According to the Associated Press, "a suburban Philadelphia school district used the webcams in school-issued laptops to spy on students at home, potentially catching them and their families in compromising situations, a family claims in a federal lawsuit."

A lawsuit against the Lower Marion School district contends that "the school district can activate the webcams without students' knowledge or permission."

The plaintiffs in the suit allege that Lindy Matsko, an assistant principal at Harriton High School, informed them that their son had engaged in improper behavior at home. The lawsuit stated, "(Matsko) cited as evidence a photograph from the webcam embedded in minor plaintiff's personal laptop issued by the school district." Further, Matsko later confirmed to the plaintiffs that the school had the ability to remotely activate webcams in the school issued laptops.

According to Gizmodo, the school issued laptops come with Apple Remote Desktop which would allow administrators to remotely access the school issued Mac Books and to turn on the embedded iSight camera. Gizmodo's Jesus Diaz succinctly sums up my feelings about the Lower Marion School District administration writing "way to go, KGB-wannabe assclowns."

If you're going to give students laptops to aid in their academic pursuits dont effing us that same laptop as a tool of surveillance and repression. And no, I dont think im being too dramatic with my language. As Uncle Ben said to Peter Parker, "with great power comes great responsibility."

Hat tip to your classmate Oliver for originally referring this story to me.

Wednesday, February 17, 2010

Please Rob Me

Jennifer Van Grove from Mashable.com checks-in with a report about an interesting new website that highlights the potential dangers of social media networks with location sharing services like Loopt, Foursquare and Google Buzz.

The creators of the PleaseRobMe.com offer this description of their website:
The danger is publicly telling people where you are. This is because it leaves one place you're definitely not... home. So here we are; on one end we're leaving lights on when we're going on a holiday, and on the other we're telling everybody on the internet we're not home. It gets even worse if you have "friends" who want to colonize your house. That means they have to enter your address, to tell everyone where they are. Your address.. on the internet.. Now you know what to do when people reach for their phone as soon as they enter your home. That's right, slap them across the face.
As Van Grove points out, there is evidence that criminals are using information gleaned from these social networking services to do more than commit cyber fraud. In some cases, criminals are using this information to aid in burglary. In a separate report for Mashable.com, Van Grove wrote
Unfortunately, over-sharing of this variety has been known to cause adverse side effects. Most recently, Israel Hyman (@izzyvideo), a video podcaster, took a trip to the midwest with his family and twittered about the excursion. He came home to find that his house had been burglarized.


This site is just another example of how many in their rush to adopt the latest social media tool inadvertently share too much of their personal information.

Tuesday, February 9, 2010

Still Think You're Anonymous Online

If our class discussions havent disabused you of notion that everyone is anonymous online you should check out Harlan Yu and David Robinson's writing at the Freedom to Tinker Blog. Harlan and David discuss the various legal techniques that can be used to uniquely identify individuals on the Internet.

David discusses the simplest route to uniquely identifying users on the Internet writing
if a plaintiff's lawyer cannot otherwise determine who the poster is, the lawyer will typically subpoena the forum web site, seeking the IP address of the anonymous poster. Many widely used web based discussion systems, including for example the popular Wordpress blogging platform, routinely log the IP addresses of commenters. If the web site is able to provide an IP address for the source of the allegedly defamatory comment, the lawyer will do a reverse lookup, a WHOIS search, or both, on that IP address, hoping to discover that the IP address belongs to a residential ISP or another organization that maintains detailed information about its individual users.

Of course, in many cases, this method won't work. The forum web site may not have logged the commenter's IP address. Or, even if an address is available, it might not be readily traceable back to an ISP account: the anonymous commenter may been using an anonymization tool like Tor to hide his address. Or he may have been coming online from a coffee shop or similarly public place (which typically will not have logged information about its transient users). Or, even if he reached the web forum directly from his own ISP, that ISP might be located in a foreign jurisdiction, beyond the reach of an American lawyer's usual legal tools.
Both David and Harlan point out that even if a user cannot be uniquely identified through these traditional means a number of techniques are still available. Harlan writes
There are numerous third party web services that may hold just enough clues to reidentify the speaker, even without the help of the content provider or the ISP. The vast majority of websites today depend on third parties to deliver valuable services that would otherwise be too expensive or time-consuming to develop in-house. Services such as online advertising, content distribution and web analytics are almost always handled by specialized servers from third party businesses. As such, a third party can embed its service into a wide variety of sites across the web, allowing it to track users across all the sites where it maintains a presence.

Take for example the popular online blog Boing Boing. Upon loading its main page while recording the HTTP session, I noticed that my browser is automatically redirected to domains owned by no fewer than 17 distinct third party entities: 10 services that engage in advertising or marketing, five that embed media or integrate social networking functionality, and two that provide web analytics. By visiting this single webpage, my digital footprints have been scattered to and collected by at least 17 other online entities that I made no deliberate attempt to contact. And each of these entities will likely have stored a cookie on my web browser, allowing it to identify me uniquely later when I browse to one of its other partner sites. I don't mean to pick on Boing Boing specifically—taking advantage of third party services is a nearly universal practice on the web today, but it's exactly this pervasiveness that makes it so likely, if not probable, that all of my digital footprints together could link much of my online activities back to my actual identity.

To make this point concrete, let's say I post a potentially defamatory remark about someone using a pseudonym in the comments section of a Boing Boing article. It happens that for each article, Boing Boing displays the number of times that the article has been shared on Facebook. In order to fetch the current number, Boing Boing redirects my browser to api.facebook.com to make a real-time query to the Facebook API. Since I happen to be logged in to Facebook at the time of the request, my browser forwards with the query my unique Facebook cookie, which includes information that explicitly identifies me—namely, my e-mail address that doubles as my Facebook username.
If you are interested in learning where you are leaving your digital foot and finger prints when you browse the web you should install the 'Ghostery' plug-in for Firefox. Ghostery will notify you when a website utilizes "third-party web bugs, ad networks and widgets."

Monday, February 8, 2010

The Importance of Protecting Your Search History

The Electronic Frontier Foundation (EFF) correctly points out that Google's Super Bowl Ad highlights the importance of protecting our search history. Watch the ad again if you missed it during the game.



In the EFF's words, "Google's ad during yesterday's Superbowl explained in less than a minute how the story of someone's life can be pieced together from their search queries. Using only the search terms and user's clicks of the search results, Google told the story of a user who seeks love while studying abroad in Paris, finds it, moves to Paris, marries and has a child."

John Battelle has dubbed Google "the database of intentions" due to its ability to catalog our desires as it guides us to what we are looking for on the Internet. Review your own search history. What does it reveal about you?

Saturday, February 6, 2010

Im on a boat

This is the kind of material I find online when I get snowed in ... Extra credit for any student that can post a coherent comment about this video that relates back to the class materials.



Thursday, February 4, 2010

Google Partners with NSA

According to the Washington Post,

The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity.

p>Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data.

The partnership strikes at the core of one of the most sensitive issues for the government and private industry in the evolving world of cybersecurity: how to balance privacy and national security interests. On Tuesday, Director of National Intelligence Dennis C. Blair called the Google attacks, which the company acknowledged in January, a "wake-up call." Cyberspace cannot be protected, he said, without a "collaborative effort that incorporates both the U.S. private sector and our international partners."

I recommend reading the entire article.

What are your opinions on this partnership? Is Google trading the privacy of its users for increased security with this partnership?

Wednesday, February 3, 2010

Internet Drivers Licenses

Throughout our time in class we will discuss the dangers of surfing the Internet including identity theft, malware attacks, and others. Many commentators have suggested that requiring an "Internet Drivers License" would cure these problems. According to this line of thinking, requiring web surfers to acquire an Internet Drivers License would remove anonymous use of the Internet and if web surfers were not anonymous malicious activity could be traced, prosecuted and ultimately eliminated.

Bruce Schneier neatly sums of this argument in a recent blog post,

Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we'll know who was responsible and take action accordingly.

Schneier also points out the fallacy in this argument,

Imagine a magic world in which every Internet packet could be traced to its origin. Even in this world, our Internet security problems wouldn't be solved. There's a huge gap between proving that a packet came from a particular computer and that a packet was directed by a particular person. This is the exact problem we have with botnets, or pedophiles storing child porn on innocents' computers. In these cases, we know the origins of the DDoS packets and the spam; they're from legitimate machines that have been hacked. Attribution isn't as valuable as you might think.

In an article entitled Driver's License for Web Users… Bad Idea Susan Brenner a professor of Law and Technology agrees with Schneier

I don't see that we have the inevitable, persistent visibility online that we have when we're operating a motor vehicle on city streets or on highways. We don't (as far as I know) have the digital equivalent of traffic cops trolling the Internet to see if we're obeying the online traffic laws (would we also need to invent those if we're going to introduce Internet driver's licenses?).

What do you think? Should Internet users be licensed? If so, would this improve security? If so, at what costs?