Tuesday, October 4, 2011

Congressman lambastes Chinese cyber-espionage

From the Washington Post,

The chairman of the House intelligence committee on Tuesday launched a broadside against the Chinese government and its efforts to steal commercial data and other intellectual property online, saying that Beijing’s cyber-espionage campaign has “reached an intolerable level” and that the United States and its allies have an “obligation to confront Beijing and demand that they put a stop to this piracy.”

Rep. Mike Rogers (R-Mich.) noted that it might seem odd that a lawmaker charged with overseeing the U.S. intelligence community should lament spying by another government. But he said that China’s espionage activities now extend beyond the U.S. government and military to include scores of private American companies.

Continue reading here

Sunday, October 2, 2011

Homeland Security tries to shore up nation’s cyber defenses

From the Washington Post,

Screens glowed, mice clicked and lines of code scrolled on the laptop monitors of a hacker team hired by Barney Advanced Domestic Chemical Co. — or BAD Company — to break into a rival firm’s computer network.

In another room here at Idaho National Laboratory, a computer operator noticed something wrong. “They’re hitting one of our servers!” he said. The lights in the control room soon failed, and liquid gushed from a set of tanks as green and red lights flashed.

“We’ve got a spillover!” shouted the supervisor. “Call the hazmat team!”

Continue reading here.

2,700 hacking attempts on S.Korea military in year

From the AFP,

South Korea's military has seen more than 2,700 attempts to hack into its websites over the past year, a lawmaker said Wednesday, amid growing concern over North Korea's cyber warfare capability.

Kim Ok-Lee of the ruling Grand National Party said the military's websites had seen 2,772 hacking attempts from July 2010 to last month, according to data from the defence ministry.

The monthly average number of attacks has grown from some 170 last year to more than 200 in 2011, the ministry said in a report submitted to Kim.

Continue reading here

Suit Claims Real Estate Firm Hacked Rival’s Listings

From the Wall Street Journal,

Bond New York, a real estate brokerage with hundreds of upscale apartment listings around the city, has been accused of hacking into a competitor’s computer system and stealing listing information.

A.C. Lawrence & Co., a competitor firm, has filed suit in New York Civil Supreme Court, claiming that Bond has been hacking into its computer system since February and stealing exclusive listing information.

Competition among residential brokers for exclusive listings has long been fierce, the suit notes that this appear to be the first time in New York State that a brokerage has been accused of hacking into computers to steal listings.

Continue reading here

There's little privacy in a digital world

From the LA Times,

During his two-hour morning bike ride, Eric Hartman doesn't pay much attention to his iPhone.

But the iPhone is paying attention to him.

As he traverses the 30-mile circuit around Seal Beach, Hartman's iPhone knows precisely where he is at every moment, and keeps a record of his whereabouts. That data is beamed to Apple Inc. multiple times each day, whether Hartman is using his phone to take pictures, search for gas stations or check the weather.

And it's not just the iPhone that's keeping track.

Continue reading here

Facebook Targeted in Group Privacy Suit Over Internet Tracking

From BusinessWeek,

Facebook Inc., the world’s most popular social-networking service, was accused by users of the site in a class-action lawsuit of secretly tracking their Web activity after they log off.

The company assures users that “cookie” files installed on their computers to identify them and track their interactions with Facebook applications and websites while they are logged on are removed when they log off, according to a complaint in federal court in San Jose, California. Facebook admitted on Sept. 26 that the cookies track users’ Internet activity after they log off, according to yesterday’s complaint.

Continue reading here

Sunday, September 25, 2011

'Lurid' malware hits Russia, CIS countries

Courtesy of ComputerWorld's Jeremy Kirk,

The latest espionage-related hacking campaign detailed by security vendor Trend Micro is most notable for the country it does not implicate: China.

Researchers from Trend Micro wrote on Thursday that they discovered a series of hacking attacks targeting space-related government agencies, diplomatic missions, research institutions and companies located mostly in Russia but also Vietnam and Commonwealth of Independent States countries. In total, the attacks targeted 1,465 computers in 61 countries.

Read more here

Coordinated ATM Heist Nets Thieves $13M

Courtesty of Brian Krebs of KrebsOnSecurity.com,

An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards, KrebsOnSecurity has learned.

Jacksonville based Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.

Read more here.

U.S. Expresses Concern About New Cyberattacks in Japan

Courtesy of Hiroko Tabuchi of the New York Times,

The United States gave a stern warning on Wednesday over recent cyberattacks on Japan’s biggest defense contractors, the latest in a series of security breaches that have fueled concern about Tokyo’s ability to handle delicate information.

An online assault on defense contractors including Mitsubishi Heavy Industries, which builds F-15 fighter jets and other American-designed weapons for Japan’s Self-Defense Forces, began in August, but only came to light this week, prompting rebukes from Japanese officials over the timing of the disclosure. The IHI Corporation, a military contractor that supplies engine parts for fighter jets, may have also been a target, the Nikkei business daily reported.

Read more here

'Stingray' Phone Tracker Fuels Constitutional Clash

Courtesy of the Wall Street Journal's Jennifer Valentino-Devries,

For more than a year, federal authorities pursued a man they called simply "the Hacker." Only after using a little known cellphone-tracking device—a stingray—were they able to zero in on a California home and make the arrest.

Stingrays are designed to locate a mobile phone even when it's not being used to make a call. The Federal Bureau of Investigation considers the devices to be so critical that it has a policy of deleting the data gathered in their use, mainly to keep suspects in the dark about their capabilities, an FBI official told The Wall Street Journal in response to inquiries.

Read more here

Saturday, March 26, 2011

Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran

From Kim Zetter at Wired's Threat Level Blog,

In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the Sept. 11 terror attacks.

“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the internet going forward. If DNS was trusted, none of this would have been an issue.”

Comodo says the attacker was well prepared, and appeared to have a list of targets at the ready when he logged into the company’s system and began requesting certificates.

In addition to the bogus certificates, the attacker created a ninth certificate for a domain of his own under the name “Global Trustee,” according to Abdulhayoglu.

Abdulhayoglu says the attack has all the markings of a state-sponsored intrusion rather than a criminal attack.

“We deal with [cybercriminals] all day long,” he said. But “there are zero footprints of cybercriminals here.”

“If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [But] the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”

Though he acknowledges that the attack could have originated anywhere, and been routed through Iranian servers as a proxy, he says Iranian president Mahmoud Ahmadinejad’s regime is the obvious suspect.

Out of the nine fraudulent certificates the hacker requested, only one — for Yahoo — was found to be active. Abdulhayoglu said Comodo tracked it, because the attackers had tried to test the certificate using a second Iranian IP address.

All of the fraudulent certificates have since been revoked, and Mozilla, Google and Microsoft have issued updates to their Firefox, Chrome and Internet Explorer browsers to block any websites from using the fraudulent certificates.

Comodo came clean about the breach this week, after security researcher Jacob Appelbaum noticed the updates to Chrome and Firefox and began poking around. Mozilla persuaded Appelbaum to withhold public disclosure of the information until the situation with the certificates could be resolved, which he agreed to do.

Abdulhayoglu told Threat Level that his company first learned of the breach from the partner that was compromised.

The attacker had compromised the username and password of a registration authority, or R.A., in southern Europe that had been a Comodo Trusted Partner for five or six years, he said. Registration authorities are entities that are authorized to issue certificates after conducting a due-diligence check to determine that the person or entity seeking the certificate is legitimate.

“We have certain checks and balances that alerted the R.A. [about the breach], which brought it to our attention,” he said. “Within hours we were alerted to it, and within hours we revoked everything.”

It’s not the first time that the integrity of web certificates has come into question.

Security researcher Moxie Marlinspike showed in 2009 how a vulnerability in the way that web certificates are issued by authorities and authenticated by web browsers would allow an attacker to impersonate any trusted website with a legitimately issued certificate

Hacker Spies Hit Security Firm RSA

via Kim Zetter at Wired's Threat Level Blog,

Top security firm RSA Security revealed on Thursday that it’s been the victim of an “extremely sophisticated” hack.

The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software. Its customers include government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was “confident that no other … products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company also provided the information in a document filed with the Securities and Exchange Commission on Thursday, which includes a list of recommendations for customers who might be affected. See below for a list of the recommendations.

A company spokesman would not provide any details about when the hack occurred, how long it lasted or when the company had discovered it.

“We are not withholding anything that would adversely impact the security of our customer systems,” said spokesman Michael Gallant. “[But] we’re working with government authorities as well so we’re not disclosing any further information besides what’s on the blog post.”

RSA categorized the attack as an advanced persistent threat, or APT. APT attacks are distinctive in the kinds of data the attackers target. Unlike most intrusions that go after financial and identity data, APT attacks tend to go after source code and other intellectual property and often involve extensive work to map a company’s infrastructure.

APT attacks often use zero-day vulnerabilities to breach a company and are therefore rarely detected by antivirus and intrusion programs. The intrusions are known for grabbing a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.

Last year’s hack into Google was considered an APT attack, and, like many intrusions in this category, was linked to China.

RSA, which is owned by EMC, is a leading firm and is most known for the RSA encryption algorithm used to secure e-commerce and other transactions. The company hosts the top-ranked RSA security conference every year.

for more information visit the Wired Threat Level Blog.

Hey AT&T customers: Your Facebook data went to China and S. Korea this morning…

From Barrett Lyons's Blog,

Quietly this morning customers of AT&T browsing Facebook did so by way of China then Korea. Typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.
This morning’s route to Facebook from AT&T:

route-server>show ip bgp (Facebook's www IP address)
BGP routing table entry for, version 32605349
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 4134 9318 32934 32934 32934

The AS path (routing path) translates to this:

1. AT&T (AS7018)
2. Chinanet (Data in China AS4134)
3. SK Broadband (Data in South Korea AS9318)
4. Facebook (Data back to US 32934)

Current route to Facebook via AT&T:

route-server>sho ip bgp
BGP routing table entry for, version 32743195
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 3356 32934 32934, (received & used)

Translated: Your data goes from AT&T’s network to US based Level3 Communications to Facebook’s servers.

What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chineese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc? One could only speculate, however it’s possible.

This brings up a lot of questions:

  • Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?
  • Should Facebook enable SSL on all accounts by default?
  • Was this actually a privacy breach or just the way the Internet functions?
  • Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?
  • Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?

This happens all the time — the Internet is just not a trusted network. Yet, I prefer to know that when I am on AT&T’s network, going to US located sites, my packets are not accidentally leaving the country and being subject to another nation’s policies. I guess that’s why you should not use Facebook in “bareback” mode and use HTTPS (SSL) any time you can.

Food for thought.

It’s Tracking Your Every Move and You May Not Even Know

via Noam Cohen at the New York Times,

A favorite pastime of Internet users is to share their location: services like Google Latitude can inform friends when you are nearby; another, Foursquare, has turned reporting these updates into a game.

But as a German Green party politician, Malte Spitz, recently learned, we are already continually being tracked whether we volunteer to be or not. Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts.

The results were astounding. In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

Mr. Spitz has provided a rare glimpse — an unprecedented one, privacy experts say — of what is being collected as we walk around with our phones. Unlike many online services and Web sites that must send “cookies” to a user’s computer to try to link its traffic to a specific person, cellphone companies simply have to sit back and hit “record.”

“We are all walking around with little tags, and our tag has a phone number associated with it, who we called and what we do with the phone,” said Sarah E. Williams, an expert on graphic information at Columbia University’s architecture school. “We don’t even know we are giving up that data.”

Tracking a customer’s whereabouts is part and parcel of what phone companies do for a living. Every seven seconds or so, the phone company of someone with a working cellphone is determining the nearest tower, so as to most efficiently route calls. And for billing reasons, they track where the call is coming from and how long it has lasted.

“At any given instant, a cell company has to know where you are; it is constantly registering with the tower with the strongest signal,” said Matthew Blaze, a professor of computer and information science at the University of Pennsylvania who has testified before Congress on the issue.

Mr. Spitz’s information, Mr. Blaze pointed out, was not based on those frequent updates, but on how often Mr. Spitz checked his e-mail.

Mr. Spitz, a privacy advocate, decided to be extremely open with his personal information. Late last month, he released all the location information in a publicly accessible Google Document, and worked with a prominent German newspaper, Die Zeit, to map those coordinates over time.

“This is really the most compelling visualization in a public forum I have ever seen,” said Mr. Blaze, adding that it “shows how strong a picture even a fairly low-resolution location can give.”

In an interview from Berlin, Mr. Spitz explained his reasons: “It was an important point to show this is not some kind of a game. I thought about it, if it is a good idea to publish all the data — I also could say, O.K., I will only publish it for five, 10 days maybe. But then I said no, I really want to publish the whole six months.”

In the United States, telecommunication companies do not have to report precisely what material they collect, said Kevin Bankston, a lawyer at the Electronic Frontier Foundation, who specializes in privacy. He added that based on court cases he could say that “they store more of it and it is becoming more precise.”

“Phones have become a necessary part of modern life,” he said, objecting to the idea that “you have to hand over your personal privacy to be part of the 21st century.”

In the United States, there are law enforcement and safety reasons for cellphone companies being encouraged to keep track of its customers. Both the F.B.I. and the Drug Enforcement Administration have used cellphone records to identify suspects and make arrests.

If the information is valuable to law enforcement, it could be lucrative for marketers. The major American cellphone providers declined to explain what exactly they collect and what they use it for.

Verizon, for example, declined to elaborate other than to point to its privacy policy, which includes: “Information such as call records, service usage, traffic data,” the statement in part reads, may be used for “marketing to you based on your use of the products and services you already have, subject to any restrictions required by law.”

AT&T, for example, works with a company, Sense Networks, that uses anonymous location information “to better understand aggregate human activity.” One product, CitySense, makes recommendations about local nightlife to customers who choose to participate based on their cellphone usage. (Many smartphone apps already on the market are based on location but that’s with the consent of the user and through GPS, not the cellphone company’s records.)

Because of Germany’s history, courts place a greater emphasis on personal privacy. Mr. Spitz first went to court to get his entire file in 2009 but Deutsche Telekom objected.

For six months, he said, there was a “Ping Pong game” of lawyers’ letters back and forth until, separately, the Constitutional Court there decided that the existing rules governing data retention, beyond those required for billing and logistics, were illegal. Soon thereafter, the two sides reached a settlement: “I only get the information that is related to me, and I don’t get all the information like who am I calling, who sent me a SMS and so on,” Mr. Spitz said, referring to text messages.

Even so, 35,831 pieces of information were sent to him by Deutsche Telekom as an encrypted file, to protect his privacy during its transmission.

Deutsche Telekom, which owns T-Mobile, Mr. Spitz’s carrier, wrote in an e-mail that it stored six months’ of data, as required by the law, and that after the court ruling it “immediately ceased” storing data.

And a year after the court ruling outlawing this kind of data retention, there is a movement to try to get a new, more limited law passed. Mr. Spitz, at 26 a member of the Green Party’s executive board, says he released that material to influence that debate.

“I want to show the political message that this kind of data retention is really, really big and you can really look into the life of people for six months and see what they are doing where they are.”

While the potential for abuse is easy to imagine, in Mr. Spitz’s case, there was not much revealed.

“I really spend most of the time in my own neighborhood, which was quite funny for me,” he said. “I am not really walking that much around.”

Any embarrassing details? “The data shows that I am flying sometimes,” he said, rather than taking a more fuel-efficient train. “Something not that popular for a Green politician.”

Thursday, February 17, 2011

Viewdle Lets the Camera Recognize Your Friends

Via the Wall Street Journal ...

Few technologies have improved as steadily as digital cameras, long a standard feature in cellphones. But a new phase may be coming, as companies like Viewdle allow smartphones to recognize who is in a photograph as it’s taken.

The broader concept–a hot topic at this week’s Mobile World Congress in Barcelona–is called augmented reality. The term refers to overlaying labels, graphics and other information on images seen through a cellphone camera viewfinder.

In the prototypical scenario, a customer looking at goods on a shelf or walking by a restaurant could see reviews or product information superimposed on the display, allowing them to make smarter purchases. Many companies are working in the field and discussing developments this week, including metaio, a Munich-based software developer that also has offices in San Francisco.

Viewdle, based in Palo Alto, Calif., has been specializing in technology that could help apply information to faces. It has developed algorithms to recognize people in photographs and apply identifying tags–an automated alternative to the tagging that many users of Facebook and other sites do manually.

That’s not an entirely new trick. But it usually requires heavy-duty computing horsepower, often carried out by connecting to servers on the Internet in a process after a photo is taken.

Viewdle, which has grown since 2007 to 60 employees, believes it is breaking new ground in allowing smartphones to do these calculations on their own–and in real time, as faces come into a camera’s field of view. (Its software works by comparing faces it detects with images that have been previously stored and identified). The company’s website features a video of five women walking down the street toward the camera, with labels popping up that identify them and post their Facebook comments in real time.

Chip makers like augmented reality, in part because it takes a lot of computing cycles. Qualcomm, for instance, is an investor in Viewdle, which is making sure its software takes advantage of Qualcomm chips.

But Viewdle is not playing favorites. At the Barcelona event, the company is announcing a development kit to help software developers create apps that take advantage of its technology, and optimizing its software also to exploit Texas Instruments’ chips as well as Google’s popular operating system for cellphones. “It will run on all Android devices,” says Jason Mitura, Viewdle’s chief product officer.

When will consumers get to see the results? Viewdle will start by offering its own app, expected to be available in late March. Besides waiting for other apps to follow, the company is also trying to get handset makers to include the capability in their products, Mitura says.

Qualcomm, meanwhile, on Tuesday announced the winners in a contest it hosted for augmented reality applications, putting up $200,000 in total prize money. Taking first place, which entitled them to $125,000, were two men from Lithuania who developed an interactive game called Paparazzi. In it, the player looking through the smartphone viewfinder sees the superimposed image of a vain celebrity.

“You try to take a picture of the virtual guy,” says Jay Wright, a Qualcomm director of business development, before the celebrity gets agitated and attacks.

while anonymity does not equal privacy, the development of technologies like this lay bare the challenges that we face as a society in protecting our privacy and security in the digital age.

Federal Officials Call For Better Privacy, Security Protections Online

Via Dennis Fisher at ThreatPost ...

The Obama administration's top information security officials hit the stage at the RSA Conference Tuesday, looking to drum up support for several of the president's key security and privacy initiatives, including a still-nebulous plan for protecting users' freedom and privacy on the Web.

The plea for help from the thousands of security experts and enterprise executives gathered here for RSA came from Howard Schmidt, the president's cybersecurity adviser and Philip Reitinger, the deputy undersecretary of the National Protection and Programs directorate at the Department of Homeland Security, who spoke as part of a town hall meeting on cybersecurity. Schmidt, a former top security official at Microsoft and eBay, used the Internet shutdown that accompanied the recent revolution in Egypt as an example of what President Obama wants to prevent.

"It is incumbent upon all of us to make sure that we preserve those freedoms," Schmidt said. "We're going to hold others accountable on Internet freedom and make sure that we do those same things ourselves. We need to lead by example."

Earlier in the day, Secretary of State Hillary Clinton gave a similar speech to a group of students at George Washington University in which she emphasized the need for some framework of rules to help guarantee a basic level of freedom online.

"For the United States, the choice is clear. On the spectrum of Internet freedom, we place ourselves on the side of openness. Now, we recognize that an open Internet comes with challenges. It calls for ground rules to protect against wrongdoing and harm. And Internet freedom raises tensions, like all freedoms do. But we believe the benefits far exceed the costs," Clinton said.

What's less clear in all of this is exactly what the Obama administration intends to do to achieve these goals. At RSA, Schmidt and Reitinger both said that in order to improve both security and privacy online, the government needs help from the private sector. This has been a common theme in government information security plans for more than a decade and the idea of more public-private partnerships has been dismissed by many in the industry as futile. But Reitinger said that they can work if done correctly.

"When we say public-private partnership, people don't know what we mean. Neither the government nor the private sector can solve these problems on their own," he said. "People hear this and think we're just going to walk away saying kumbaya. That's not what we're talking about. The successful ones actually are a partnership and they're real and outcome-focused."

None of the panelists offered much in the way of specifics on what the administration planned to do, aside from previously announced initiatives such as the plan to create online IDs. But Schmidt stressed that there were plans in the works that would get things moving.

"We need to ensure we have the safeguards in place to protect people," he said. "It's all about collaboration. We need new ways to work faster. It's critical to our future and having that economic engine that we all need."

Sunday, February 13, 2011

Lawmaker Introduces New Privacy Bill

Via the Wall Street Journal ...

Rep. Jackie Speier, D-Calif., introduced a bill Friday that would give the Federal Trade Commission authority to establish an online do-not-track system.

The bill is the first in this session to specifically tackle the creation of a do-not-track system, according to a spokesman for Ms. Speier. In December, the FTC issued a report recommending the creation of a do-not-track system and suggested that lawmakers use the report as a template for legislation.

Since the FTCs recommendation, Mozilla Corp. has said it will include a do-not-track feature in an upcoming version of its Firefox Web browser. But so far, no tracking companies have publicly stated that they will participate in a do-not-track system.

In its newest Internet Explorer browser, Microsoft will allow users to stop certain websites and tracking companies from monitoring them. And Google last month began offering a tool that lets users of its Chrome browser permanently opt out of ad-tracking cookies.

Representatives of the three companies sparred gently over the merits of the differing approaches at a conference Wednesday at the University of California, Berkeley. Alex Fowler, Mozilla’s global privacy and public-policy leader, said it wanted to give users flexibility in choosing the companies they will and won’t allow to track them.

“We’ve done this intentionally because there is a spectrum of values across our users,” Mr. Fowler said. Some “don’t want to see ads or be tracked” at all, while others “see value in free services by receiving free advertising.”

Privacy issues are heating up on Capitol Hill. Earlier this week, Rep. Bobby Rush, D-Ill., re-introduced privacy legislation that he introduced during the last session of Congress. His bill would establish baseline federal privacy laws around the collection of personal data. Rep. John Kerry, D-Mass., is also expected to introduce privacy legislation in the coming weeks.

There is no comprehensive U.S. law that protects consumer privacy online. Internet privacy issues generally are policed by the FTC, which can take action only if a privacy-violating action is deemed “deceptive” or “unfair.” Last year, the Obama Administration called for a Web privacy “bill of rights” to help regulate the personal data collection industry.

Of course, these Democratic bills face challenges in the Republican House of Representatives. Ms. Speier said while the bill has two co-sponsors, both Democrats, she is “hopeful we’ll find Republican co-sponsors — we’re hopeful of finding Tea Party-Republicans, because that’s a closely held value” of Tea Party Conservatives, she told Digits.

Ms. Speier also noted support from the Consumers’ Union, Consumer Action, Consumer Federation of America, Consumers Watchdog and the American Civil Liberties Union. The Congresswoman predicted broad support because “86 percent of the public that has been polled nationally wants to have the option of not being tracked.”

Chris Lee Resigns After Craigslist Photos Come To Light

From your classmate Ife via the Huffington Post...

Rep. Chris Lee (R-N.Y.) announced early Wednesday evening that he will resign his seat in the U.S. House of Representatives.

Buffalo-based station YNN relays a statement from Lee, who has signaled that he will vacate his post immediately:

"It has been a tremendous honor to serve the people of Western New York. I regret the harm that my actions have caused my family, my staff and my constituents. I deeply and sincerely apologize to them all. I have made profound mistakes and I promise to work as hard as I can to seek their forgiveness.
"The challenges we face in Western New York and across the country are too serious for me to allow this distraction to continue, and so I am announcing that I have resigned my seat in Congress effective immediately."
News of Lee's decision to step down comes just hours after it was reported that the married congressman sent shirtless photos of himself to a woman who he connected with on the "Women Seeking Men" section of Craigslist.

HuffPost's Nick Wing reported earlier in the day:

According to Gawker, the 46-year-old married Republican responded to a listing posted last month by a 34-year-old woman looking for "financially & emotionally secure" men who "don't look like toads."
In an email, sent from an account admittedly registered to Lee, someone reportedly replied, claiming to be a 39-year-old, "6ft 190lbs blond/blue," "divorced" "lobbyist."
After a few flirty back-and-forths, the woman told Gawker that Lee sent her a picture of himself, sans shirt.
Asked for comment, Lee's spokesman provided a denial and claimed that the congressman's email account had been hacked.
"The Congressman is happily married," the spokesman told Gawker. "The only time he or his wife posted something online was to sell old furniture when they changed the apartment they keep in DC."

UPDATE: "People cheat everyday, but only dumb people get caught," said the woman who received the half-naked photos. She gave a full interview to TheLoop21.com on Wednesday night.

Her blunt evaluation comes after receiving flirty emails that used the congressman's name, originated from the email address associated with his Facebook profile (since deleted), and contained photos that clearly seemed to show his face -- and shirtless torso. So much for internet anonymity.

The woman, who works in government, requested to maintain her own anonymity in exchange for the accounts provided to Gawker and TheLoop21. HuffPost spoke with a friend of the woman who confirmed her story about getting the emails and photos after posting a personal ad on Craigslist.

In the interview with TheLoop21.com, the woman said she figured the story put forward by Lee's spokesman about a hacker was "bullsh*t."

"Dating in D.C. sucks," she summed up. Click here for more.

Denying allegations

Interesting thoughts from Lawrence on maintaining our reputations in the digital age ...

Trust and reputation are two important aspects of civilization. The former is often influenced by the latter. You would not trust someone who has been charged with fraud or other such crimes. You would not vote for a politician that has been accused of (often sexually) harassing interns. In the last century, we relied on a wide array of evidence to judge whether the individual was guilty or not. Evidence such as video surveillance tapes, phone records, credit card bills and many other things. I listed these forms of evidence because I want to discuss their legitimacy in court in the 21st century.

Technology has a advanced dramatically in the recent years and we have become capable of incredible feats often experienced in movies (i.e. avatar) or less often in the form online theft (by hackers all over the world) draining your bank account.
My worry is that video surveillance and many other things might be easily altered to fit the crime (or not). Thus undermining their validity as evidence in court.
I’ll give you a few illustrations. Facebook accounts can be hacked, therefor the content also, can be altered. Imagine someone ‘unearthing’ incriminating pictures of you on Facebook and consequently, you are arrested and put on trial. You know that the pictures are fake because you never found yourself in the situation depicted on the picture. Of course you don’t, they were photo-shopped by someone who has something to gain by you going to prison. The jury does not believe your account and sends you to prison for whatever you have done (not fair, I know). Replace Facebook in this whole story with other things like credit card bills or phone call records and come to the same conclusion.

The modern court of tomorrow will pick up on these practices and revise their list of approved forms of evidence (excluding things like mentioned above).
Imagine a politician that did sexually harass an intern and it was caught on tape. This politician happened to have many allies and enemies. In court, the politician could clame that the person on the video is not really him, but a virtually rendered version of him by animators and programmers (think about animated movies these days). The court has reason to believe him because he has many enemies who would gain by faking something like this.

Therefore, technology (hacking etc) can render many forms of evidence useless.

My concern is the way we use the internet and how we behave on it. How will we be able to hold each other accountable (online) if all the things we do (good or bad) can be brushed off as conspiracy if someone presses charges?

Exabytes: Documenting the 'digital age' and huge growth in computing capacity

A hat tip to two of your classmates Katharina and Katie for pointing this Washington Post article out to me ...

Megabytes are dead.

Gigabytes are passe.

So much digital data now moves around the globe that those who endeavor to measure it employ a new - or new to non-nerds - term.

Meet the exabyte.

How much data is an exabyte? It's a billion gigabytes - and it signifies just how digital and data-intensive the world has become.

In 2007, the global capacity to store digital information - on computer hard disks, smartphones, CDs and other digital media - totaled 276 exabytes, a new report finds.

How much is that? Imagine a stack of CDs - each holding an album's worth of digital music - shooting from the top of your desk to 50,000 miles beyond the moon.

But not everyone has equal access to those resources. In fact, the digital gap between rich and poor countries appears to be growing, said Martin Hilbert of the University of Southern California, who led the audacious effort to tally all of civilization's information and computing power.

In 2002, people in developed countries had access to eight times the bandwidth - or information-carrying capacity - of people in poorer nations, Hilbert said, citing data he will publish soon. By 2007, that gap had almost doubled.

"If we want to understand the vast social changes underway in the world, we have to understand how much information people are handling," Hilbert said.

To address that question, Hilbert and co-author Priscila Lopez spent four years poring over 1,110 sources of information spanning from 1986 to 2007, including sales data from computer and cellphone makers and the music and movie industries.

In 1986, a year after digital CDs widely debuted, vinyl records still accounted for 14 percent of all data on Earth, with audiocassettes holding an additional 12 percent.

By 2000, digital media accounted for just 25 percent of all information in the world.

After that, the prevalence of digital media began to skyrocket. In 2002, digital storage capacity outstripped the non-digital variety - mostly paper and videotapes - for the first time.

"That was the turning point," said Hilbert, who published the report in the journal Science. "You could say the digital age started in 2002. It continued tremendously from there."

By 2007, the last year documented in the study, 94 percent of all information storage capacity on Earth was digital. The other 6 percent resided in books, magazines and other non-digital formats, particularly videotape, Hilbert and Lopez found.

But despite the forecasts of futurists, a paperless world has not arrived. Although stupendously outstripped in growth by digital media, the amount of paper produced for books, magazines, newspapers and office use climbed steadily over the two decades of the study.

As for computing power - the number of calculations per second available in all of the computers in the world - that grew faster than even information storage, muscling ahead at an average annual growth rate of 58 percent over 21 years. Information storage, in contrast, grew at a rate of 23 percent.

Of course, for anyone tethered to an iPhone, Gmail and Facebook all day, all of this probably comes as no surprise.

That daily digital activity contributes to a churning information tsunami. Humans generate enough data - from TV and radio broadcasts, telephone conversations and, of course, Internet traffic - to fill our 276 exabyte storage capacity every eight weeks, Hilbert said. Of course, most of the digital traffic is never stored long term, evaporating into the ether.

The study prompts deep questions, one of which Hilbert plans to explore soon: How much of this data deluge is truly useful? Or, as Hilbert distilled it, "What's the value of watching a silly cat video versus reading an overpriced book?"

While we wait for an answer, social scientists worry that the mounting data carry a hidden cost: disconnection from one another.

"We'd like to think that [information technology] changes everything, that the amazing statistics these authors cite mean that our society has fundamentally and irreversibly changed," said Thomas J. Misa, who studies the history of technology at the University of Minnesota. "I'm a bit more skeptical." After all, Misa said, "there are still secret prisons in Cairo where government agents savagely beat people. Cellphones and social media didn't change that."

Perhaps not, but widespread reports from Egypt suggest that online social networking contributed to - or even prompted - the ongoing demonstrations there.

The study also found that Earth had 3.4 billion cellphones in 2007, with telecommunications traffic growing at an average rate of 28 percent per year between 1986 and 2007. That's a lot of minutes on your plan.

In a second report Hilbert plans to publish in a few months, he found that an ever-increasing slice of our daily data resides not on home computers and the smartphones in our pockets, but in giant data warehouses owned by Google, Facebook, Citibank, the federal government and other huge entities. Microsoft's recent ad campaign touts the benefits of moving all of your personal data to "the cloud," invoking white puffs that magically - and cleanly - store our home photos.

The reality is much dirtier. In 2006, the nation's "server farms" - the home of the cloud - sucked down 1.5 percent of all electricity in the United States, double the amount used in 2000, the Environmental Protection Agency reported. Congress ordered the report out of concern that our insatiable demand for Facebook and YouTube would push the United States to build 10 new pollution-spewing coal plants.

But Hilbert offers a humbling comparison. Despite our gargantuan digital growth, the DNA in a single human body still stores far more information - and a single human brain computes far more calculations - than all the technology on Earth.

"Compared to Mother Nature," Hilbert said, "we are humble apprentices."

Monday, February 7, 2011

Fake Dating Site Lifts Pictures And Names from Facebook -- Without Asking

From the San Francisco Chronicle ...

A pair of artists gathered the public profiles of more than 1 million Facebook users, then took the pictures and created a fake dating site called Lovely-Faces.com.

Users can search based on nationality, traits like "easy going," and gender, or can simply enter a name and see if they're in the database. When users click a result to "arrange a date," they're taken to the person's public Facebook profile.

The site scraped Facebook data without permission, and the company told Wired that it's not amused and will "take appropriate action."

Basically, it looks like an awkward commentary on the shallowness of online dating profiles and Facebook's confusing privacy policies, but violating privacy to make a point about privacy doesn't work very well.The artists, Paolo Cirio and Alessandro Ludovico, tried to explain their point in a press release issued yesterday (PDF here), but it's basically a bunch of gibberish -- or maybe that's part of the art.

Did the Internet Kill Privacy?

From CBSNews ...

"For the first time, people were sneaking around taking photos of other people without their permission," said Lane.

It sparked a 1890 Harvard Law Review article in which future Supreme Court Justice Louis Brandeis and attorney Samuel Warren warned against an ongoing loss of privacy!

Today, one of the fastest-growing businesses on the Internet is something called data mining: companies collecting our private information, packaging it, using it, selling it.

Michael Fertik, a Harvard Law School grad who runs a company called Reputation.com, came up with information I thought was private. I was wrong.

"I think this is your Social Security number," Fertik said. It was!

He also revealed what he called my "online reputation," based mainly on where I happen to live.

"Our query is pretty confident that you're a Democrat and pretty confident that you're a Catholic," Fertik said.

"But that may not be correct," said Moriarty.

"It may just not be correct," he explained.

And then there's something that could cause a real headache down the road …

"There's an Erin F. Moriarty who grew up just a few miles where you did, who has been convicted of serving alcohol to minors," Fertik said. "And it'd be very easy for a machine to confuse you and that person, and to think that you are a convicted criminal."

Even though the OTHER Erin is 20 years younger!

Fertik's company helps people track down and correct misinformation. But most of us will never even know it's there.

"The dossier on each of us that is easily aggregated digitally is now probably, let's call it ten pages," Fertik said. "Four years ago it was two pages. In four or five years, it's going to be 100 pages. Why? Because the amount of data that is being collected about each of us, proliferates. Your phone records, your rental records, those different databases that no one originally intended to be combined with one another are being combined now with blazing speed."

But David J. Moore, who runs 24/7 RealMedia, an Internet advertising firm, seems unfazed.

He points out that marketing information about potential customers is really nothing new.

"Magazine publishers for years have been selling the list of subscribers they have to the advertisers that want to send a mailing to them," he said.

And keep in mind: the more specific and detailed the information, the better companies can target their advertisements to customers who really want it.

"Let's ask the 500 million people that are on Facebook how concerned are they about their privacy," Moore said. "Or the 100 million that are on MySpace? Most of them really don't care."

Don't tell that to high school teacher Ashley Payne.

"Yes, I put it on the Internet, so you can make that argument," she said. "But it sort of feels like the same thing as if I had put the pictures in a shoebox in my house and someone came in and took them and showed one of them to the principal."

What's worse, after she resigned her job at Apalachee High School, Payne says she learned the original complaint came in an anonymous e-mail - not in a phone call from an angry parent.

"No parent has ever claimed it," Payne said. "There's never been any other complaints against me at this school from teachers, students or parents."

Officials at the Barrow County Schools, who declined to speak to "Sunday Morning," have so far refused to re-hire Payne.

In court documents, they say teachers were warned about "unacceptable online activities" by the district. Payne's page, they say, "promoted alcohol use" and "contained profanity."

She is now in graduate school and is suing the district. She says she wants to be sure that the Internet won't just record how Ashley Payne lost her job, but that she fought back.

"I want to clear my name, first of all," she said. "And I just want to be back in the classroom, if not that classroom, a classroom. I want to get back doing what I went to school for, my passion in life."

Thursday, February 3, 2011

Vodafone network 'hijacked' by Egypt

From the BBC ...

Mobile phone firm Vodafone has accused the Egyptian authorities of using its network to send unattributed text messages supporting the government.

Vodafone was told to switch off services last week when protests against President Hosni Mubarak began.

But the authorities then ordered Vodafone to switch the network back on, in order to send messages under Egypt's emergency laws, the firm said.

In a statement, Vodafone described the messages as "unacceptable".

"These messages are not scripted by any of the mobile network operators and we do not have the ability to respond to the authorities on their content."

Likely cost

The Paris-based Organisation for Economic Co-operation and Development says that the government clampdown on internet services may have cost the Egyptian economy as much as $18m (£11m) a day or $90m in total.

The impact of the communications block could be even greater, as it would be "much more difficult in the future to attract foreign companies and assure them that the networks will remain reliable", said the OECD in a statement.

In another development, the credit ratings agency Fitch has downgraded the Egypt's debt grade by one notch to BB from BB+, citing the consequences of the continuing political unrest on the economy.

The country's debt grade has already been downgraded by two other ratings agencies, Moody's and Standard & Poor's.

The estimation of the economic impacts of the network shutdown are interesting, but I found the reporting on how the Egyptian government used the Vodafone network to disseminate propaganda more relevant to our in-class discussions.

Facebook treads carefully after its vital role in Egypt's anti-Mubarak protests

A fascinating look at Facebook's role in helping anti-government protesters in Egypt and around the world by the Washington Post's Cecilia Kang and Ian Shapira:

In Egypt, the tried-and-true tool for opponents of President Hosni Mubarak in recent years has been Facebook. Most recently, it was on Facebook - which boasts 5 million users in Egypt, the most in the Arab world - where youthful outrage over the killing of a prominent activist spread, leading to the protests in Cairo's Tahrir Square and Mubarak's promise to step down this year.

But Facebook, which celebrates its seventh birthday Friday and has more than a half-billion users worldwide, is not eagerly embracing its role as the insurrectionists' instrument of choice. Its strategy contrasts with rivals Google and Twitter, which actively helped opposition leaders communicate after the Egyptian government shut down Internet access.

The Silicon Valley giant, whether it likes it or not, has been thrust like never before into a sensitive global political moment that pits the company's need for an open Internet against concerns that autocratic regimes could limit use of the site or shut it down altogether.

"The movement [in Egypt] was very dependent on Facebook," said Alaa Abd El Fattah, an Egyptian blogger and activist in South Africa who has a strong following in Egypt. "It started with anger then turned into a legitimate uprising."

The recent unrest in Egypt and Tunisia is forcing Facebook officials to grapple with the prospect that other governments will grow more cautious of permitting the company to operate in their countries without restrictions or close monitoring, according to David Kirkpatrick, author of "The Facebook Effect," an authorized biography of the company's history. Facebook is also looking at whether it should allow activists to have a measure of anonymity on the site, he said.

"I have talked to people inside Facebook in the last week, and they are debating this internally," Kirkpatrick said. "Many countries where Facebook is popular have autocracies or dictatorships, and most of the countries have passively tolerated their popularity. But what's happened in Egypt or Tunisia is likely to change other countries' attitudes, and they'll be more wary of Facebook operating there."

A Facebook spokesman, Andrew Noyes, declined to make anyone at the company available to discuss its role in the Egypt protests or its strategy in politically fraught environments. In a short statement, Noyes said: "Although the turmoil in Egypt is a matter for the Egyptian people and their government to resolve, limiting Internet access for millions of people is a matter of concern for the global community. It is essential to communication and to commerce. No one should be denied access to the Internet."

(Washington Post Co. Chairman Donald E. Graham sits on Facebook's board.)

Even when Facebook has actively helped protesters work around government intrusions, the company casts its moves as mere technical solutions. Last month, after Tunisian security officials used a virus to secretly collect local Facebook user IDs and passwords, the Internet giant took action. It rerouted Tunisia's Facebook traffic to a site where local Internet service providers couldn't gobble up user information.

In a statement released to The Post, the company said it viewed the predicament as just a "security problem" in need of a fix.

"Certainly there's a political context to the particular circumstance in Tunisia, but from Facebook's perspective, what happened was a security problem that required a technological solution: we prevented an exploit that was making Facebook accounts vulnerable and restored the integrity of the compromised accounts," wrote Joe Sullivan, Facebook's chief security officer. "We would have taken the same approach in any situation where we saw a systematic exploit."

Yet Facebook seems to be veering in a different direction than Google, which has battled China over censorship, or Twitter, the microblogging site that earned renown during the Iranian protests of 2009 for delaying a scheduled shutdown and facilitating civil protest in Tehran. This week, Twitter, Google and SayNow, a voice-based social media platform, launched a service that provides Egyptians with phone numbers to call and leave messages, which are recorded and posted on the Internet. It's called Tweet2Speak.

In early 2010, in the wake of Google's censorship clashes with China, Facebook was one of a handful of companies blasted by Congress for refusing to participate in Senate committee hearings that examined how Silicon Valley companies were operating with foreign governments. Facebook responded at the time by saying it had no employees in China and that it was a different kind of business than Google.

Facebook's director of public policy, Tim Sparapani, wrote in a letter to Sen. Richard J. Durbin. (D-Ill.): "These conflicting approaches presents challenges for companies, particularly ones such as Facebook that are small and growing, to navigate new markets around the world without strong support from national governments and multinational institutions."

Facebook hasn't joined the Global Network Initiative, a nonprofit coalition of communications companies - including Microsoft, Google and Yahoo - established to create anti-censorship standards around the world. (Twitter hasn't joined, either.)

Some advocates of online free speech say Facebook can no longer linger on the sidelines.

"The good news for Twitter and Facebook is how important they are, and one should congratulate them for being critical tools," said John Palfrey, the co-director of Harvard University's Berkman Center for Internet & Society. "But also, there is an obligation that comes with that level of adoption."

Even though Facebook has refrained from taking overtly political stances on Egypt, the social network remains a vital tool for conveying anti-government news about Egypt.

Riyaad Minty, al-Jazeera's social-media head, said the news agency has been live-streaming its coverage of the protests on its Facebook fan pages in the United States and Arab world, boosting its fan volume by 30 to 50 percent; its half-dozen status updates about the crisis have reaped 10 million views a day, up from the 2 million daily views the pages had previously, Minty said.

"I do think governments see Facebook as a political tool, which is why Egypt has shut off the Internet," said Minty, adding that he prefers Facebook's more objective approach so it does not unnecessarily rattle conservative foreign leaders.

Additionally, Facebook ad sales teams have been helping al-Jazeera capitalize on Egypt's crisis to attract more eyeballs in the United States and build up a new, loyal audience.

"They've been giving us strategic advice," he said. "We're targeting people over 18, and our big push has been toward the U.S. audience."

Some Internet experts say Facebook needs to determine how to protect its users in countries with restrictive regimes, but the company's terms of use - which require members to use real identities - make protesters vulnerable to government spying. Facebook chief executive Mark Zuckerberg has insisted on the policy, saying the site would lose integrity if people hid behind phony identities.

"People at Facebook have been asking themselves in the wake of Egypt or Tunisia whether there might be a way they can allow political activities in these spontaneous revolts to acquire a little bit of anonymity," said Kirkpatrick, the company's biographer. "The problem is, if they start making it easier for political activists to use Facebook in places like Egypt or Tunisia, those same capabilities are likely to be used by people we don't admire or pro-government thugs."

Kirkpatrick added that these choices all come down to the company's famously private CEO.

"Inside Facebook," he said, "there's really only one person who makes these decisions. He has to decide."

Pay particular attention to the offense vs defense battle between nation-states and opposition movements. Specifically, how nation-states try to use platforms like Facebook to gather information on its opponents, while opposition parties attempt to use Facebook and other tools to rally dissent. This piece provides a fascinating perspective on the emerging battleground in cyberspace and how privacy and security are intertwined.

Wednesday, February 2, 2011

The Internet Should Not Be Anonymous

Via Roger Grimes at PCWorld

The news of the U.S. government's latest attempt at a national citizen "Internet ID" brought yet another round of choruses: The Internet must be free! Any government ID plan is bad! Anonymity for all forever! Perform an Internet search on "Obama national Internet ID" to see the screeds against the proposed plan. Security experts around the world are saying the government would have to pry their anonymity from their cold, dead touchscreens.

I chuckled at these angry responses because they sound like the heated calls for anarchy in the 1970s from tattooed punk rockers smoking unfiltered Camels while the Sex Pistols played in the background. The difference is the angry masses in this case are being riled up by security experts, who have been ranting wildly enough to spill their expensive Imperial Stout all over their tablet devices and brie salads.

Notably, the details behind the plan are scarce right now. The rationale, according to U.S. Commerce Secretary Gary Locke, is "enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

Even though I'm a huge privacy proponent, I get a little tired of seeing every proposal for a national or government ID met with absolute aversion. Security isn't binary. If a national ID plan offers more benefits than disadvantages, then I don't want to throw the baby out with the bathwater.

Total Internet anonymity means total anarchy

Just like the anarchist who is the first to call the police when punched in the face over his or her beliefs, the Internet would fall if we had total anonymity and no means of ensuring trust. Without strong authentication, authorization, and accounting, even places on the Internet meant for total anonymity would fail. The Internet would not be the Internet. Why? Because someone has to pay the bills and maintain control.

If the Internet was completely anarchistic, with no access control, websites would be constantly taken down, denial-of-service attacks would be even more common than they are today, and anyone could pretend to be anyone else. (This is already all too easy to do on Facebook, one of the biggest websites ever.)

Someone has to exert control and make sure ill-intentioned people don't take it all down. In the perfect world, no one would ever try to take down a website or disrupt someone else's legitimate actions. But human beings are imperfect and often seem overly capable of damaging other people's resources and experience. Case in point: I consulted for the owners of a thoroughly hacked website that had been created for collecting donations for a child's cancer treatment. I'm sure the hacker has plenty of personal excuses to rationalize his or her behavior.

Driver's licenses aren't all bad

I think most of us agree that some form of access control is needed in order for the Internet to be a useful tool for billions of people, especially as more and more critical services go online. The real question: How much control and who should control it? I'm pretty sure I don't want any government controlling the Internet, but I'm not sure a national logon ID is a complete takeover.

A lot of people whom I respect and admire are totally against any government agency requiring anyone to have a common identifier in the real world, such as a Social Security number or a passport, or on the Internet. They argue that such IDs are guaranteed to be hacked, abused, and misused -- both by malicious people and the very governments that issue them.

I understand the inherent concerns about giving any entity total trust, but a blanket statement against any common and trusted ID doesn't seem to be fair either. Although common IDs are largely imperfect, they provide value all throughout society. For example, I'm delighted that underage children aren't allowed to drive cars and that adults are forced to take a test before they can. I like that my world has street names and sequenced housing addresses so that it's easier for mail to be delivered and for the fire department and rescue squads to find my house.

For each ID we have, we should ask ourselves if society is better off with or without it. I'm not talking about using scary edge cases as the determiner, but looking at all the positives and negatives before registering complete disdain.

Know your Net neighbors

Perhaps you support the idea of driver's licenses and passports but still don't see how a national Internet ID would make the Web a safer place. Well, if the system could improve identity assurance (that is, the person is who they say they are), then it could prove useful. Maybe it would require two- or multifactor, biometric identification. A well-designed authentication system would consider all the components of the system and elevate or de-elevate assurance levels as appropriate.
This wouldn't stop hacking -- or identity theft, for that matter -- because bad guys can simply reuse credentials after the person has successfully authenticated on their compromised workstation. But it would be better than the default simple name and passwords we use today.

The details behind the Obama administration's push for a national Internet ID aren't known. But I do know that the Internet needs to be a more trustworthy place than it is today, and I'm willing to listen to new solutions that might help -- at least long enough to learn all the facts before just saying no.

In fact, I'd be happy if all it does is get the discussion to the end-game going. Anything is better than what we currently have in place

Google Reaches Deal With Connecticut in Data Probe

From Amir Efrati at the Wall Street Journal,

Connecticut's attorney general said Google Inc. won't have to hand over user data it collected from unsecured wireless networks as part of his office's probe of the Internet giant's privacy snafu.

Attorney General George Jepsen said Friday his office reached a deal with the Internet company that allows him to begin settlement negotiations over whether Google violated state law. Last month Google rejected a subpoena issued by Mr. Jepsen's predecessor, Richard Blumenthal, to hand over data the company collected when its Street View cars were within range of unsecured wireless Internet hotspots.

Google's world-wide fleet of Street View cars for years collected images of streets that are used in the company's online mapping service. But they also scanned for wireless networks in order to beef up certain mobile-device applications that help pinpoint the location of users. In some cases the cars inadvertently collected personal information such as email addresses and passwords, Google said last year.

As part of the deal with Connecticut, Google said it wouldn't contest the fact that its Street View cars had collected private user information including URLs of requested Web pages, partial or complete email communications or other information in 2008 and 2009, according to Mr. Jepsen.

A Google spokeswoman reiterated the company's statements that it is "profoundly sorry" for having mistakenly collected payload data from unencrypted wireless networks.

"As soon as we realized what had happened, we stopped collecting all Wi-Fi data from our Street View cars and immediately informed the authorities," she said. "We did not want and have never used the payload data in any of our products and services. We want to delete this data as soon as possible and will continue to work with the authorities to determine the best way forward, as well as to answer their further questions and concerns."

Mr. Jepsen said he is leading a 40-state coalition that is examining the issue, and that he is prepared to file a lawsuit if settlement talks break down.

The Federal Communications Commission said in November it was probing whether Google broke federal law in collecting consumer data via Wi-Fi networks. Another agency, the Federal Trade Commission, previously ended its probe and said Google had taken sufficient steps to prevent a recurrence.

When the mistakes became known earlier this year, Google initially said a review of the data it collected showed it captured fragments of data but later said it also had more-complete pieces of information about Internet users.

Google has said it doesn't believe it broke U.S. law, and the matter has been a bigger problem for the company outside the U.S., where it is facing probes in countries such as Germany, South Korea, and France. It has shown to regulators some of the data it collected.

Sunday, January 30, 2011

Facebook pwns Firesheep

From Facebook.com,

Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the "Account Security" section of the Account Settings page.

There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future

House Considers Mandating Internet Data Retention For Crime Solving

ABC News' Mary Bruce reports:

Criminal investigations are “being frustrated” because internet providers are not required by law to retain information on what their customers are doing online, the Department of Justice testified before a House hearing today.

“The gap between providers retention practices and the needs of law enforcement can be extremely harmful to investigations that are critical to protecting the public from predators,” Justice Department Deputy Assistant Attorney General Jason Weinstein told a House Justice Committee hearing on “data retention as a tool for investigating internet child pornography and other internet crimes.”

“The lack of adequate, uniform and consistent data retention policies threatens our ability to use the legal tools Congress has provided to law enforcement to protect public safety,” he said.

While some internet providers voluntarily retain user data for months or years, others do not retain data at all. Under current law, officers can issue subpoenas, court orders and search warrants to require an internet service provider to hand over user data. The problem, Weinstein testified, is that “those authorities are only useful if the data is still in existence at the time the government seeks to obtain it.”

Judiciary Committee Chair Rep. Lamar Smith, R-Texas, agreed. “When law enforcement officers do develop leads that might ultimately result in saving a child or apprehending a pornographer, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them. Every piece of discarded information could be the footprint of a child predator,” he said.

Other committee members and the Internet Service Provider Association expressed concern, however, that retaining internet data could infringe on users’ privacy.

“A data retention mandate would raise a number of serious privacy and free speech concerns… Congress should be very hesitant to require service providers to create databases to track the internet activities of 230 million innocent Americans,” said John Morris, General Counsel for the Center for Democracy and Technology.

Florida Democrat Rep. Debbie Wasserman Schultz reiterated “this is not about watching or tracking people’s behavior online… it’s about helping law enforcement connect the dots.”

Beyond privacy concerns, Morris argued that requiring internet providers to extend their data retention for longer periods would be so cost prohibitive that it would harm competition, innovation and ultimately internet users.

Kate Dean, the Executive Director of the Internet Service Provider Association, questioned how companies would keep track of a growing amount of personal user data.

“We’re dealing with people’s lives and liberty here and out of all of this data we have to make sure that, say 18 months down the road, that tiny particular piece of information is exactly the right information linking that exact target,” she said.

Looking ahead, Rep. Jim Sensenbrenner, R-Wis., asked Dean if, in place of a Congressional mandate, her member companies would be willing to come together and develop their own voluntary compliance order.

“I am a firm believer in carrots and sticks and I am tossing you a carrot now… If you aren’t a good rabbit and don’t start eating the carrot, I’m afraid that we’re all going to be throwing the stick at you. So this is an opportunity for you to come up with some kind of a solution,” Sensenbrenner said.

Dean said the Association would be willing to sit down with all parties involved and take an active role in a larger dialogue.

Egypt Disconnected

Image courtesy of Craig Labovitz - the chief scientist at Arbor Networks.

Egypt's ability to cut itself of from the Internet helps demonstrates that nation-states still do have some ability to control the free flow of information in the digital age.

Internet ‘Kill Switch’ Legislation Back in Play

From David Kravets at Wired's Threat Level Blog,

The resurgence of the so-called “kill switch” legislation came the same day Egyptians faced an internet blackout designed to counter massive demonstrations in that country.

The bill, which has bipartisan support, is being floated by Sen. Susan Collins, the Republican ranking member on the Homeland Security and Governmental Affairs Committee. The proposed legislation, which Collins said would not give the president the same power Egypt’s Hosni Mubarak is exercising to quell dissent, sailed through the Homeland Security Committee in December but expired with the new Congress weeks later.

The bill is designed to protect against “significant” cyber threats before they cause damage, Collins said.

“My legislation would provide a mechanism for the government to work with the private sector in the event of a true cyber emergency,” Collins said in an e-mail Friday. “It would give our nation the best tools available to swiftly respond to a significant threat.”

The timing of when the legislation would be re-introduced was not immediately clear, as kinks to it are being worked out.

An aide to the Homeland Security committee described the bill as one that does not mandate the shuttering of the entire internet. Instead, it would authorize the president to demand turning off access to so-called “critical infrastructure” where necessary.

An example, the aide said, would require infrastructure connected to “the system that controls the floodgates to the Hoover dam” to cut its connection to the net if the government detected an imminent cyber attack.

What’s unclear, however, is how the government would have any idea when a cyber attack was imminent or why the operator wouldn’t shutter itself if it detected a looming attack.

About two dozen groups, including the American Civil Liberties Union, the American Library Association, Electronic Frontier Foundation and Center for Democracy & Technology, were skeptical enough to file an open letter opposing the idea. They are concerned that the measure, if it became law, might be used to censor the internet.

“It is imperative that cyber-security legislation not erode our rights,” (.pdf) the groups wrote last year to Congress.

A congressional white paper (.pdf) on the measure said the proposal prohibits the government from targeting websites for censorship “based solely on activities protected by the First Amendment of the United States Constitution.”

Oddly, that’s exactly the same language in the Patriot Act used to test whether the government can wiretap or investigate a person based on their political beliefs or statements.

A couple thoughts on this bill:

- what are the implications for our digital privacy? in order to detect cyber threats is intrusive monitoring of the internet required?
- and why the *#$! would the hoover dam need to be connected to the Internet?