01/05/2014

the NSA is allowed again to continue spying on every US telephone

The Foreign Intelligence Surveillance Court on Friday renewed the NSA phone collection program, said Shawn Turner, a spokesman for the Office of the Director of National Intelligence. Such periodic requests are somewhat formulaic but required since the program started in 2006.

 

The latest approval was the first since two conflicting court decisions about whether the program is lawful and since a presidential advisory panel recommended that the NSA no longer be allowed to collect and store the phone records and search them without obtaining separate court approval for each search.

 

In a statement, Turner said that 15 judges on the U.S. Foreign Intelligence Surveillance Court on 36 occasions over the past seven years have approved the NSA’s collection of U.S. phone records as lawful.
http://www.mintpressnews.com/us-spy-court-nsa-keep-collec...

so you know when you call some-one in the US

Permalink | |  Print |  Facebook | | | | Pin it! |

12/19/2013

why the mobile anonymous rumour app whisper survives where others are going down

these are the facts

"The two-year-old app is rapidly gaining popularity. Millions of people use Whisper and it is approaching 3 billion monthly pageviews. On average, people spend more than 20 minutes per day with Whisper, checking its content eight to ten times per day. Whisper has raised $25 million from early Snapchat investor Lightspeed and others.

 

 

The people who are spilling their guts on Whisper fall between ages 17 and 28. Heyward says less than 4 percent of his users are under the age of 18. The vast majority of its users—70 percent—are women. 

 

The reason Whisper gets so many people to share things they'd never say out loud is because everything is posted anonymously. In the past, anonymous social networks have been nasty places. Just look at the comments on YouTube, or at failed startups like Juicy Campus, which was sued by people defamed on its site.

 

Michael Heyward, the app's 26-year-old founder, has gone to great lengths to keep Whisper's content respectful. He never wants anyone to read Whisper and feel like they need to shower. He has 92 people moderating content and comments in the Philippines in addition to the 32 people Whisper employs full-time.

 

"You are who you are when no one else is looking," Heyward told Business Insider at his Santa Monica headquarters in early December. "Anonymity is a really powerful tool. But we think about it like that Spiderman quote, 'With great power comes great responsibility.'"
http://www.slate.com/blogs/business_insider/2013/12/16/wh...

the big difference is with the monitoring in which he is investing heavily because it will make the difference between survival and extinction because of scandal, suicides, bad press, complaints by parents and 'secure internet for kidspeople' and so on. And as it is anonymous, nobody can complain that they have blocked of taken down content or postings and at the same time you don't need all those lawyers of which each is as expensive as a whole building full with lowpaid thirdworld moderators.

the other effect of this monitoring for bad behaviour is that those who want to do harm know this is not the medium to do it because others are watching too closely and can intervene nearly immediately

this is a lesson for all the other proprietors of webforums and other open communication tools, if you invest in monitoring you can keep people coming back and have a feel-good around your place

Permalink | |  Print |  Facebook | | | | Pin it! |

the TOR entry points are not necessarily anonymous and this proven again

Tor is en underground anonymous network that says it protects your identity and after which stupid people do stupid things thinking nobody will find out who has done it

You get access to Tor by using a Torbrowser you have to download and to go to a Tor access point that is installed by some-one somehwere and who will forward you to the different services and the protections. These servers have not the same versions (this is to say that some have still some vulnerabilities), they can be operated by anyone and some keep more information about their visitors than others

it was this way they found quick fast which stupid student in Harvard mailed a bomb treat because he wasn't ready for an exam

"Presumably, the originating IP addresses in the email headers pointed to known Tor exit nodes—servers that are publicly listed as being part of the Tor network. The crucial sentence of the affidavit states: “Harvard University was able to determine that, in the several hours leading up to the receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvard’s wireless network.” Just as the exit nodes are common knowledge, many of the entry, or access, nodes used to connect to Tor are also listed in the service’s directory (some aren’t, to allow access to users in places that have blocked all known Tor servers). So while it’s easy to hide what you’re doing online when you’re using Tor, it’s harder to hide the fact that you’re using it. It sounds as if Harvard was able to consult its network activity logs and simply identify a device on its network that connected to one of these known Tor nodes around the same time the emails were sent. That device, presumably, was registered to Kim.
http://www.slate.com/articles/technology/future_tense/201...

youi better use a real (non echelonbased) proxy before you access TOR

Permalink | |  Print |  Facebook | | | | Pin it! |

200.000 belgian emails for sale to anyone

these kind of services are all over the web

they say that it are verified optin lists  but can't proof it because the only proof is when you can search for your own emailaddress and make it disappear

http://emailzz.com/belgium-email-list-47241108/

the problem is that the privacycommission can't really intervene because the websites have no legal link with Belgium and so they have to go through a lot of channels to get the service to close down

maybe a more coordinated action on European level is needed

Permalink | |  Print |  Facebook | | | | Pin it! |

leak of 54.000 emailaddresses of horoscopes on bia2.com

Permalink | |  Print |  Facebook | | | | Pin it! |

have been to China on hotel recently ? your personal details may be hacked and published online

you are not alone, the personal details of 20 million visitors of Chinese hotels are being published and distributed as we speak 

"WooYun, is an online security watchdog which had observed in September that a loophole in CNWisdom, the largest provider of wireless internet for hotels, led the hackers have access to personal information of guests of the hotels. Personal details as to phone numbers, house addresses and also email addresses were retrieved by these hackers.

As a quick retort the service provider, CNWisdom at the outset had stated that many hotels which were not among its clients back then, also fell victim to such leak by another source. As of December, even though a website with leaked data was shut down, data has spread.

These hackers have been identifying themselves as the “harbors of evil goods.” It is considered to be wordplay on a particular saying originating from the archives of the Han dynasty. They have started using a WeChat account and are featuring on it now. They are providing a service through which a user can text them and ID card number and they will then run a trace or check with the data they have access to and the finally come up with the user details and hotel reservations made in favor of such persons. The operators of this account were approached through mail, but there was no response from them.

The websites which have the leaked information in content have easier search options. They can run checks and searches based on name inputs. These websites reveal detailed bookings of the persons along with their personal details which include phone numbers and birth dates. There are also peer to peer file sharing websites which have taken substantial interest in furnishing personal data of the unfortunate individuals.
http://hackersnewsbulletin.com/2013/12/chinese-hackers-le...

so all your booking information is now public with that of millions of others, ready to be exploited for whatever goal - but it may not be a good one

wireless is a bad idea for personal information especially if it isn't yours or if it is to transfer personal or confidential information

Permalink | |  Print |  Facebook | | | | Pin it! |

why complete privacybased services like privatesky have to close down

When CertiVox positioned PrivateSky as the easiest to use and most secure encrypted messaging service, we really had two significant points of differentiation. First, even though we held the root encryption keys to the system, it was architected in such as way that it would have been all but impossible for our internal staff to snoop on our customer's communications, or for the service to leak any of our customer¹s data. Secondly, our possession of the root keys, and our use of identity based encryption, made the system incredibly easy to use. For the user, there were no private or public keys to manage, every workflow was handled for the user in an easy to grasp pure HTML5 interface, no hardware or software required, just an HTML5 browser.

 

We boxed ourselves into a feature set and market position that when called upon to comply with legal statues, we simply had no alternative but to shut the service down. We built it, but we couldn't host it.

 

Why? Because as you can probably surmise, there is an inherent impedance mismatch between being able to host a commercial communications service that gives the upmost in privacy to its users, against any breach, whilst at the same time being able to operate safely within the confines of the law as it is on the books in most countries on the planet.
http://www.certivox.com/blog/bid/359788/The-real-story-on...

it is not that they are illegal - they are not

it is that they can't fulfill any demands from the police or the intelligence services when asked for specifiic information about specific clients even if these demands have been passed through all the normal channels and are very specific and not generic taps on the whole system

so any such 'private service'in any country which has such laws is too good to be true and is probably not possible or not to stay in business if they don't change their way of doing things

Permalink | |  Print |  Facebook | | | | Pin it! |

Personal details of 54 million Turks in the hand of Russian hackers

How it this possible ?

Simple, you let other people do things like this (publishing all this information online so they could check if it is still correct) without any security. The number of records makes no difference, only a few seconds or minutes more to download. This is the beauty (and danger) of big data, leaks become immediately big leaks.

article

"Russian hackers have seized 54 Turkish million citizens’ ID data because Turkey’s political parties and the country’s Supreme Election Committee (YSK) share voters’ personal information, a prominent research company manager has said.

“I have heard about it. Hackers in Russia hold 54 million Turkish citizens’ ID numbers, addresses, father names,” the general manager of KONDA research company, Bekir Ağırdır, said last week in Ankara at a meeting to evaluate upcoming local elections in the country, according to a report on online news portal T24. 

Ağırdır also said some parties did not have an anti-virus system but uploaded all electors’ information online and “in two hours hackers downloaded all the information.”

Ağırdır said the Supreme Election Board provided every political party with this information in 2011. 
Recently the main opposition party Republican People’s Party (CHP) launched an “e-elector” initiative that enables citizens to check electoral rolls and detect deficiencies and mistakes through websites and mobile applications.
http://www.hurriyetdailynews.com/russian-hackers-stole-54...

this means that the ID numbers can't be used as an identifier and that only information that hasn't be leaked can be used as an identifier

what would happen if we would lose our Citizen ID numbers (or our National Registernumbers together with our addresses) ? How many systems would have to change their verification and logins ?

Permalink | |  Print |  Facebook | | | | Pin it! |

How Google starts protecting its Chrome users of fake certificates but why this isn't enough

Google discovered that there was a fake certificate for gmail.com users that was being used in France.

Upon investigation it was discovered that a certificate agency gave the French institution responsable for intelligence and stuff like that a fake gmail.com certificate so its INTERNAL proxies could do a man in the middel attack on its OWN users who were using encryption to protect their email

this seems logical but these certificates could have been used elsewhere and nobody would have seen so even if there are reasons to intercept and decrypt internal traffic for security and intelligence reasons the used method posses so many dangers that it can't be allowed for any reason because it will undermine any trust in any webservice even if it has full encryption and all the other protections

they have decided that the local SSL provider will only be allowed as a bona fide provider for a limited set of domainextensions

Update December 12: We have decided that the ANSSI certificate authority will be limited to the following top-level domains in a future version of Chrome: 
.fr 
.gp (Guadeloupe) 
.gf (Guyane) 
.mq (Martinique) 
.re (Réunion) 
.yt (Mayotte) 
.pm (Saint-Pierre et Miquelon) 
.bl (Saint Barthélemy) 
.mf (Saint Martin) 
.wf (Wallis et Futuna) 
.pf (Polynésie française) 
.nc (Nouvelle Calédonie) 
.tf (Terres australes et antarctiques françaises)]

http://googleonlinesecurity.blogspot.com.au/2013/12/further-improving-digital-certificate.html

but this is not enough for two reasons

it will still be able to intercept and decrypt traffic with fake certificates for other international domains like Yahoo who have a .fr domainname

it will still be able to intercept and decrypt traffic with fake certificates to all the domains in these domainextensions

the international certificate authorities should intervene and make this kind of certificate illegal and the firms who deliver them to lose their certificates because they have become untrustable

if you can't trust the certificates anymore - who can you trust ?

Permalink | |  Print |  Facebook | | | | Pin it! |

12/18/2013

one can have an ID in Europe without fingerprints (so keep them out of Belgian EID)

they have decided as such in Holland

De minister liet destijds weten dat de vingerafdrukloze identiteitskaart zo snel beschikbaar zou kunnen zijn, dat tijdelijke oplossingen niet nodig waren. Wanneer de identiteitskaart zonder vingerafdrukken echter verkrijgbaar zal zijn is nog steeds onbekend, zo meldt Privacy Barometer.

De minister stelde eerder dat er geen technische belemmeringen zijn. De identiteitskaart zonder vingerafdrukken is geen officieel reisdocument, maar in de Europese Unie kan er mee gereisd worden en met de kaart kan men zich identificeren om bijvoorbeeld te kunnen stemmen.
https://www.security.nl/posting/372859/Vingerafdrukloze+I...

So an European ID can be used to travel inside Europe and inside the home country but not to travel to countries for which you need a passport on which you will still need fingerprints

this already limits the number of fingerprints and personal data in fact because if many ask such an ID without fingerprints your national database of fingerprints becomes more or less worthless

and if Holland is backtracking than why should we need them in Belgium on our EID

Permalink | |  Print |  Facebook | | | | Pin it! |

there goes your online anonimity in UK (together with the porn)

You have heard that the ISP's in the UK were pushed into accepting an universal antiporn filter (first presented as against child porn but the child is forgotten now)

they will place a sort of categoryfilter on it, as have most of the firms with rather large networks

but this is not all

"Parental Controls, we're told, will not be applied to connections made over Virtual Private Networks. But, here's the fun bit:

The filter "doesn't block VPN connections, but does prevent access to sites promoting the use of proxies and annonymisers [sic]," the BT spokesman said.
http://www.theregister.co.uk/2013/12/17/bt_parental_contr...

so open proxies and anonimizer websites will also be blocked

as if they were only used for porn  and yes they are used for also porn but also for lots ot ofher things

maybe you will have to prove that you are a political activist fearing for your online life befode you can get access to this kind of sites

mission creep

what is next ?  Tor ?

Permalink | |  Print |  Facebook | | | | Pin it! |

how Microsoft will use encryption to defeat the NSA global interception operation (it hopes)

Instead, Microsoft will encrypt data every time it passes between the many small services that make up a sweeping online operation such as Windows Azure. In other words, it will encrypt information before it leaves individual servers inside the data center — whether that information is traveling to another data center or not. “You need a more distributed way of handling the problem: Every individual service — whenever it talks to another service — should encrypt that channel,” Russinovich explains. “Then the price for the encryption is paid for with the resources of the individual data centers.”

So, the thousands of servers inside the data center provide the processing power needed to encrypt — “you got all these servers sitting around and they’re not fully utilized anyway. Why not use their CPUs to do the encryption, rather than these monster routers?” — and encryption is spread across many different keys. Matthew Green, an assistant research professor at the Johns Hopkins Information Security Institute who has closely followed the NSA scandal, likes the argument, though he warns that there are still pitfalls.

“It’s a better way, but it’s a little more difficult,” he says. “It requires the right custom software — software that must be installed on every single machine — and it requires some extra computation, which is going to have some impact. Somehow, you have to soak up that burden.”

This is how Azure was operating before the NSA revelations — though it was using a weaker form of encryption. As detailed in a blog post from Microsoft general counsel Brad Smith, the company will now use encryption keys that span 2,048 bits and use “best-in-class industry cryptography.”

Like many other web giants, Microsoft will also encrypt data using what’s called “Perfect Forward Secrecy,” where keys are discarded after they’re used. This means that if attackers gain access to a key, they can’t use it to unlock data they’ve collected in the past. All this, Smith says in the post, will be in place on Microsoft’s most popular online services by the end of 2014, including Outlook.com, Office 365, SkyDrive, and Windows Azure.
http://www.wired.com/wiredenterprise/2013/12/microsoft-nsa/

Permalink | |  Print |  Facebook | | | | Pin it! |

intrusion and surveillance technology put on the Wassenaar list of dual-use technology

Two new categories of surveillance systems were added into the dual-use goods and technologies control list of the Wassenaar Arrangement in early December 2013 in Vienna, recognising for the first time the need to subject spying tools used by intelligence agencies and law enforcement to export controls.

While there are many questions that still need to be answered, Privacy International cautiously welcomes these additions to the Wassenaar Arrangement. Undoubtedly, these new controls don't cover everything they could, but the recognition that something needs to be done at the Wassenaar level is a foundation to build from.

Understanding what the new controls actually do is heavily based on how individual states implement the agreements.
https://www.ifex.org/international/2013/12/11/internation...

this means that those technologies may be limited for export and even if not limited should be indexed and watched and surely can't be exported to countries which are under some form of international blockade or which are known to be a dictatorship or committing crimes against humanity

it will be interesting to see how the different countries will interpret the same clausules for the same products or functions and if - for example - an unique European definition and list of products will be set up unless the compromise in fact makes this decision totally meaningless

Permalink | |  Print |  Facebook | | | | Pin it! |

contrary to the hype we still love opt-in advertising emails and hate them in our social media

new real research with real people

http://www.convinceandconvert.com/social-media-research-2/new-research-americans-hate-social-media-promotions/

this also will make it harder for Facebook and Twitter to realise the returns from advertising they have promised their hyped-up investors who thought that this would be the new eldorado (like some believed Lernaut and Hauspie) and it also shows why they are investing so much in locational advertising (while you are walking past a shop) and dataminiing (keeping and interconnecting everything you have said or read or what has been said about something)

Permalink | |  Print |  Facebook | | | | Pin it! |

NewZealand custom officers can confiscate your digital material and ask your passwords

Samuel Blackman told the New Zealand Herald that customs officials had confiscated his two smartphones, his iPad, an external hard drive, and a laptop, and demanded his passwords – which he gave them, he said, because he had “nothing to hide”.

 

Blackman said a customs official told him they were searching for objectionable material under New Zealand’s Films, Videos, and Publications Classification Act 1993.

He claimed he was not offered legal representation and was not told how to get his possessions back, and added: “It felt like being mugged … They gave me a receipt for goods detained. Still no reasons, though.”
http://www.theguardian.com/world/2013/dec/12/nsa-files-li...

you should travel information-light :)

not sure what would happen if you would refuse to give your passwords (or your double authentification tool)

maybe you should look at hiding the really important information behind pictures and films and so on .....

Permalink | |  Print |  Facebook | | | | Pin it! |

12/17/2013

canada's official institutions had 3000 privacy breaches they nearly never reported to the privacy commission

The agency was asked by the NDP for information on how many data, information and privacy breaches had been recorded in each year between 2002 and 2012. Some other departments were able to provide data on privacy breaches, with the results showing more than 3,000 recorded breaches with almost 87 per cent of those breaches not reported to the privacy commissioner.
http://www.vancouversun.com/technology/urge+probe+privacy...

so why do you need a privacycommission for

make-believe just make the believe that you are doing something and that there are people watching over your privacy

smokescreen but nothing more

Permalink | |  Print |  Facebook | | | | Pin it! |

IBM first firm to be sued for risking to lose parts of the non-US market by bowing to the NSA

According to Reuters, the Louisiana Sheriffs' Pension and Relief Fund is suing the technology giant's CEO Virginia Rometty and CFO Mark Loughridge for failing to reveal the risk of tying the company to the NSA.

 

In November, the Center for Strategic Studies in Washington noted that IBM, along with Cisco and Microsoft, appeared to be stonewalled by China in response to media reports that US companies were aiding the NSA.

 

IBM reported a 22 percent revenue loss from China in October, and a 4 percent drop in its Q3 profits. In September, Microsoft also noted that China is its weakest market.
http://www.zdnet.com/ibm-sued-for-cooperating-with-nsa-fo...

it is the first time after the first estimations from the US technologyfirms themselves that the financial losses that they are enduring are becoming concrete and that these are being felt by their investors like a risk (a risk being everything that can influence badly your performance or worth)

which means in fact that if a firm wants to cooperate more closely with the US or other intelligence services than they are legally obliged to do (and which is no risk as long as only targeted data is involved) they should inform their shareholders first

and I wouldn't start changing US hardware by Chinese or Russian and I wouldn't call any of them as democratic societies that are outraged by the espionage on their citizens without due process....

Permalink | |  Print |  Facebook | | | | Pin it! |

is your login in the dataleakage of those 7 databreaches

this is not complete, there are thousands of logins that are published or not every week

but it is an effort like another

http://haveibeenpwned.com/ is the new initiative

but https://pwnedlist.com/‎  is much more complete and better

Permalink | |  Print |  Facebook | | | | Pin it! |

with personal data on a laptop, there is no alternative for full (harddrive) encryption

Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ) said on Friday that nearly 840,000 member that their information my be at risk, after two employee laptops were stolen in November.

 

According to a statement from BCBSNJ, the police were notified on November 4 about the missing hardware, which were left on the desk, presumably safe from theft because they were protected by a cable-lock. However, the data on those systems was not encrypted, potentially exposing 839,711 members to fraud and identity theft.
http://www.cio.com/article/744491/Blue_Cross_840_000_Heal...

if you know that the costs of full encryption and secure encrypted pre-boot double authentification is not even 100 dollars for a laptop (if you have only two of them)

than that economy has been wasted a million times

let them no eat peanuts in the C4 building, dismissed

Permalink | |  Print |  Facebook | | | | Pin it! |

JP Morgan announces in december that they discovered a breach in september that happened in july

yep, that is the state of their security and securitymanagment, no joke or yes a joke

the december article

"JPMorgan Chase & Co. has said they plan to issue breach notifications to nearly 500,000 customers, or two percent of the bank's 25 million UCard users, after hackers breached their network in July. However, because there's no evidence that funds were stolen, the bank will not issue replacement cards.

 

 

On Wednesday, several state agencies were notified of a data breach that took place in July, after hackers compromised UCard servers maintained by JP Morgan Chase & Co. The incident resulted in the potential loss of hundreds of thousands of records.

The breach itself was detected and fixed in September, but the specifics of the attack remain undisclosed. While normally encrypted, the bank said that the records compromised during the attack appeared in clear text temporarily while the breach taking place. Moreover, the bank stressed that the breach in July only affected the prepaid UCards, and none of the other cards brands that they support.
http://www.cio.com/article/744284/JPMorgan_to_Notify_500_...

there is no encryption if there is no full permanent encryption

Permalink | |  Print |  Facebook | | | | Pin it! |