privacy - Page 5

  • how to keep the German intelligence service out

    The documentation from wikileaks

    The script http://jeenaparadies.net/t/bnd.txt

    a control of wiki-edits delivered this from one of their IP adresses

    "An examination of Wikipedia edits from the IP ranges reveals that along with a lot of standard edits[1] , the German Wikipedia entry for the BND itself was modified. The claim suggesting that foreign offices of the Goethe Institute serve as unofficial cover for the BND, was redacted by the suspect IP[2].  wikileaks as source

    and do not count on RIPE

    "Between Friday night and Sunday morning, a massive deletion operation took place at the European Internet address register (RIPE) to scrub references to a cover used by Germany's premier spy agency, the Bundesnachrichtendienst, or BND.

    The cleanup operation comes the night after Wikileaks revealed over two dozen covert BND networks provided by T-Systems (Deutsche Telekom). The IP addresses were assigned to an unregistered company at a Munich-based PO box linked to T-Systems.

    T-Systems purged the RIPE database of all addresses exposed by Wikileaks, moving the addresses into a several giant anonymous "Class B" address pools.

    The move comes just a few hours after T-Systems Computer Emergency Response Team (CERT) contacted Wikileaks to demand removal of an internal T-Systems memo listing the BND cover addresses. Wikileaks refused and T-System did not respond to requests for further detail by the time of writing. "

  • the only Belgian on the leaked member list of British national party

    The member and contact list was leaked some time ago and by going over it we found the only Belgian on the list or the person living in Belgium

    http://wikileaks.org/leak/bnp-membership-list.txt

    Mr
    David
    Bolton
    Deinse Horsweg 15
    Drongen 9031
    East Flanders
    Belgium
    0032 9244 5384
    davidjohnbolton@gmail.com
    Donation £5 (applied in error for Gold)
    Doctoral student (inter-religious dialogue)

    It is off course a problem of privacy. But the list is public, so you probably be better aware that you are on it

  • example of P2P UK piracy letter from a lawyer firm

    http://wikileaks.org/leak/davenport-lyons-letter.pdf

    In this letter you will find the explanation of how they do it, how they calculate the costs and the legal basis in the UK they are using.

  • Belgian government thinking about giving the police the right to break into computers

    According to some newspapers there is are some proposals in the wings that would give the police the power to break into computer systems and install keyloggers.

    This seems like a really stupid idea if it would be written like that. What would you do when someone finds these keyloggers with his antivirus software ? If the Belgian law on the cybercriminality isn't changed at the same time, he would sue them and the police wouldn't be able to do anything. It is also nowadays very easy if you spend some money to defend a computer. This is why a computer is not the ideal place to itnercept communications.

    There is another problem that is far more important. if the computerpolice nowadays finds underground internetfora where they sell illegal stuff they can't tell they are policemen according to the law and they can't use certain software or even be member of the forum to observe and intervene when enough information has been collected. The computercirme police needs to have more possibilities to do their online research and hide their real identities, but hacking into personal computers is just something that would probably not have the desired effect.

  • Mobib (STIB) the truth is coming out

    When the Mobib card was launched last year, we asked ourselves if that card wouldn't have the same problems that the same cards had in other cities and that dutch researchers had shown in newsmaking research. But oh no, some specialists close to the project told us in a meeting, it was totally different, they had used other codes and norms and they had particulary paid attention that the same mistakes wouldn't be made in Brussels that were being made in London and Holland. We had our doubts, but if they were so persistant, than we only had to stand by and hope that some-one had the guts to test it and proof us wrong.... or right.

    Luckily the security researchers of the UCL are beginning to have a knack at critical research - where are those bright flemish researchers except losing themselves in cryptographic games ? So they did it again. Yes, they did the RFID chip research on the Belgian passport.

    They even have developed a free software which you can use to extract the travel information from a mobib card. Seems like another reason not to use it if you are a bit paranoid. You could use it to extract also that information from people nearby that have such a card. You will receive their last three travel and their identity, birth and zipcode. Anyone can do this without any encryption or protection. Interesting for thiefs or harassment I would think.

    It makes also thinks that our national commission for the protection of our privacy was informed about the card but didn't found it necessary to investigate more. A question that remains is what happens with all the other travels ? how are they retrieved or suppressed from the card ?

    The other question is naturally why the card leaves anoyone read so much information. There are RFID chips on the market that are much more protective, but they are more expensive.

    It is the intention of the transport company to change all the regular use cards with this one Mobib card. Question is if that will be still possible with the same technology or that the STIB will have to handout privacyprotective cardholders with them.

    The STIB also said that itself seperated the travel information from the information about the client. This way it would have two databases. One about its clients and another one about the global travels that were done by their users. Both wouldn't be linked or connected. But with the interception of the card this is exactly what has happened. The card is the connection between the two kinds of data.

    And if that ain't enough, the Stib is also at the center of an European financed project projet « Triangle ». that wants to make a commun ticketing for the three transport systems in Paris, Londres et Bruxelles. And this would become the basis for an international ticketing system that could be used anywhere in Europe.

    And to make it even more interesting because there is much more mission creep and privacyloss in the future of this card. They have/had plans to integrate it with traintickets and other means of transport or even events. They question that now arises is how much information will stay on the card (three events, three traintickets, three brussels transports and a taxi for example ?). Before you know it, you are carrying all your travelinformation in one card. Seems simple and scary at the same time.

    As a customer you can also buy a wallet with a small metal plate in it in which you can put the card. You have to get the card out each time to validate it but nobody else will be able to read ti without your agreement. The same goes for your passport.

    The responses from the STIB are also totally wrong. They say that the information that is on our ID and SIS card can also easily be read. Yes but you need to do it at home and you need to have the card in your possession. Here we are talking about walking around in a metro with the RFID card reader and reading without telling anyone the travel and some identity information from anyone near you, if he or she agrees to that or not. This is the difference.

    http://www.avoixautre.be/spip.php?article2169

  • building Belgian personal databases ready for crime and hacking

    The governmental websites ask three numbers that people have to give in to be able to access their personal files with the administration. Their Identity card, their Social Securitycard and their unique identifier (population number). They also receive a token.

    But the Belgian government is investing millions to protect these files even if some things can go much better :)

    There is no reason - tell me if I am wrong - that private databases or administrations would ask all of these data for authentification or administration. One or maximum two of them should be enough. Unless they are willing to take all the risks of a perfect IDtheft if for one reason or another they get owned or someone gets fired or no raise and he takes these files home or somewhere else :)

    or any form that combines these three data becomes a risk on paper or in the computer.

    we know, you will only realise it when .... it is too late

    Formulier 4

    Bestandsformaat: Microsoft Word - HTML-versie
    Identiteitskaartnummer: …………………………………… Rijksregisternummer: …………………………………... SIS -kaartnummer: ………………………………… Bankrekeningnummer: …………………………………… Opleiding ...
    www.ryhove.be/bijlagen/sollicitatieformulierstudentenjob.doc

    SOLLICITATIEFORMULIER VAKANTIEJOB 2008

    Bestandsformaat: PDF/Adobe Acrobat - HTML-versie
    Identiteitskaartnummer : .....…….........………....…. Bankrekeningnummer : ….…..……… …………..….... Rijbewijs :. ja. neen. Siskaartnummer : … ...
    www.ocmwwevelgem.be/doc/pers/solfor08.pdf
  • chinese mobile phones are good for privacy and criminals

    During the investigations into the terror attacks in India the Indianese police discovered that by tracing the mobile phone calls that were being made those being done with Chinese Mobile phones were in fact not traceable because in too many cases those had the same IMEI numbers (a sort of unique identifier for each phone).

    "Short for International Mobile Equipment Identity, a 15 to 17 digit unique serial number printed on the back of a mobile phone handset is referred to as the IMEI number. A combination of the codes representing the manufacturer's name, model and type of the phone, the IMEI number gets registered with the mobile phone service provider as soon as a phone is activated. IMEI number is required to trace a phone as well as to retrieve its call history"  source 

    This means that any country that has any law in which the law officers have the right to search for traces and content of mobile phone calls would be wopping mad to certify any sale of chinese mobile phones, or let their telecom operators use them for their own SIM cards. India has decided that from today Chinese mobile phones without such a number may not function anymore.

    China is in the process of installing together with the international GSM association a verification system for such process but meanwhile this isn't errorproof. These mobile phones are very popular because they are so cheap.

    At the other hand Chinese dissidents may have now some freedom on the phone...

    Someone in Danmark is trying to set up a list with all the identifyers that are in such a number. You can help him.

    If you are looking for one in Google do - chinese mobile phones site:be - (or whatever country) some of the sites are scams or even malware infected as many chinese sites are

  • if the new US Homeland Security Director will do for the US what she did as governor

    than this is coming your way (and if thought that Bush was a danger for your privacy, than you ain't seen nothing yet I suppose)

    • Pushed state police to use cameras that scan license plates of moving cars to find vehicles that are stolen or linked to a criminal suspect.
    • Promoted "face-identification" technology that could help surveillance cameras find wanted people by comparing someone's face with a photo database of suspects.
    • Signed a 2007 bill making Arizona one of 12 states that collect and store DNA samples of people accused but not convicted of certain crimes, including murder, burglary, sexual assault and prostitution.
    • Proposed an optional state ID for legal citizens only that features a radio-frequency chip to allow authorities to read the card. State lawmakers blocked the effort this year.

    Probably she thinks that technology can function on its own without democratic oversight and rules and that it will never fall in the wrong hands or be used for other reasons (also known as mission creep).

    and if it is done in the States, it comes to the UK and from the UK to the EU so what happens in the US is important for the EU, as is what is happening now in the UK.

  • how to circumvent a 4 billion Yen fingerprint system with tape

    The women from South Korea was deported as an illegal alien from Japan and barred re-entry but "A South Korean broker is believed to have supplied her with the tapes and a fake passport, the Yomiuri said, adding that officials believe many more foreigners might have entered Japan using the same technique" source

    In Europe we also use systems like that to control the identity of illegals and aslymseekers. It has been known before that some burnt their fingers just to be able to forgo identificiation but here It seems that there could be a whole new business popping up underground.

  • licence plate cloning as game, harassment or crime

    republished because too funny

    "High school students in Maryland are using speed cameras as a tool to fine innocent drivers in a game, according to the Montgomery County Sentinel newspaper. Because photo enforcement devices will automatically mail out a ticket to any registered vehicle owner based solely on a photograph of a license plate, any driver could receive a ticket if someone else creates a duplicate of his license plate and drives quickly past a speed camera. The private companies that mail out the tickets often do not bother to verify whether vehicle registration information for the accused vehicle matches the photographed vehicle.

    In the UK, this is known as number plate cloning, where thieves will find the license information of a vehicle similar in appearance to the one they wish to drive. They will use that information to purchase a real license plate from a private vendor using the other vehicle's numbers. This allows the "cloned" vehicle to avoid all automated punishment systems. According to the Sentinel, two Rockville, Maryland high schools call their version of cloning the "speed camera pimping game."

    A speed camera is located out in front of Wootton High School, providing a convenient location for generating the false tickets. Instead of purchasing license plates, students have ready access to laser printers that can create duplicate license plates using glossy paper using readily available fonts. For example, the state name of "Maryland" appears on plates in a font similar to Garamond Number 5 Swash Italic. Once the camera flashes, the driver can quickly pull over and remove the fake paper plate. The victim will receive a $40 ticket in the mail weeks later. According to the Sentinel, students at Richard Montgomery High School have also participated, although Montgomery County officials deny having seen any evidence of faked speed camera tickets.

    http://www.thenewspaper.com/news/26/2632.asp

    anyone tried this in Belgium yet ?

  • lessons for a pickpocket victim in Brussels south trainstation

    Family of mine became the victim of pickpockets in the Brussels South trainstation. During the rest of the process, following things became clear

    on a negative note

    * all the plainclothes undercover antipickpocket police agents were on holiday on the same day.....

    * there are security camera's everywhere.... but some never work or don't work anymore

    on a positive note

    * the police were very helpful and friendly, which helps a great bit when people have lost their wallet with all their papers or their bag with all their belongings...

    * they had a checklist with which it was possible to block any card, any account and mobile phone which was done by a kind of call center. I hope this is the case in any police station in Belgium and it should be the only model that one uses in the future. Such a process would also be very helpfull in the US, where the victims have to do most of the work of blocking everything themselves.

  • ex-Minister Dewael and e-discovery and archiving

    In Belgium there are no standards for logging or e-discovery. It is even not clear what you have to archive as electronic material. The chaos is even greater because the national archiving laws are in total contradiction with the 'public disclosure' laws (if we can call them like that because the level of public disclosure in Belgium is very very limited, especially if you compare it to the level of public access to governmental or administrative documents in the US for example). 

    The national archiving laws oblige to keep anything in any format that is important to understand the decisions that are taken. The public disclosure law only obliges you to show the final documents with the final decisions. You can say that this is not a contradiction, but it gives way to totally different interpretations in the reality of every day functioning. If documents that are being used to prepare a decisions are legally not important and will never be made public - according to present laws (and laws can't go backwards normally) than why should you keep them or try to restore them if you lose them or check that all these documents were saved in a proper manner and are still usable after so many months or years.

    The biggest effect of this chaos is on email, as the last months have shown. There is no legal obligation to keep emails that install no legal rights. If you send an email telling someone that he or she will get a subsidy than it should be kept, if you send an email saying that the question is being investigated, than you shouldn't (except if it is being seen as the only legal declaration of reception of your demand). The effect is that the archiving of emails is different according to the local network reglementation and installation. (advice ; just archive anything and filter your email against films and music and flash)

    So why is this now so important for Mr Dewael. He is no longer minister of the interior but president of the Chamber of parliament, but if he will be able to hold on to that position is another matter. It was clear that he had to leave his post as minister because there was no external person had any clear idea about which documents would be turned up next about some nominations in the management functions of the national police force. When some files were published in which his advisors warned him for the dubious nature of some of these nominations, he said that he couldn't have given those to the parliament that was investigating these allegations because the files had been archived and he couldn't access them. This is very hard to believe for an outsider (and so the press and the political opponents).

    It should now be clear for the political world that not only do we need more public access, but that we also need to set up clear rules for administrations, political institutions and enterprises about what they should keep whatever the format it is available in. The advantage is that the decisions will become more transparent and that when there is an investigation, all that should be found will be found immediately (and not in bits and pieces during months).

    This can also be a good basis for some written agreements between the police and justice departments at one side and the administrations and enterprises at the other about how they will announce and set up the e-discovery forensic process.

  • msntracer.eu is a phishing server according to phishtank

    so would you use it

    len146

    but the phishtank says it is a phish and you shouldn't use it

    http://www.phishtank.com/phish_detail.php?phish_id=585737&frame=site

  • How to find out for 20 dollars if your girlfriend is riding to her secret lover (US only for now)

    GPS and mobile tracking without any privacy guarantees....

    this is for fun but what about economic spying, wouldn't you want to know where the salespeople of your competitors are going ?

    problem is the batteries and as you will have to change them often, you can get caught each time

    another problem is that this guy leaves so many forensic fingerprints behind....

     

  • Facebook : do not accept invitations from people you don't know

    It is also very safe not to accept friend invitations from people you don't know. The reason is that a Facebook profile contains enough personal information which can be studied by fraudsters (your unknown friends) in order to create special phishing attacks or malware targeted to individual users or businesses. What if you click on a shared link or item? Then your privacy will belong to them!!!  source

    the source has also a list of new vulnerabilities that gives attackers the possibility to bypass security or attack others

  • Atos worldline is in Belgium an enormous player

    http://www.atosworldline.be  they control all electronic transactions of all major cards in Belgium, that is to say millions of transactions a day

    and they have a data leakage in germany as you may have read here

    or not only in germany ?

    who knows ?

    the privacycommission ?

  • ATOSworldline loses total bankinginfo in Germany

    Strictly confidential information on over 10,000 credit card customers of the Landesbank Berlin (LBB) was anonymously sent to the Frankfurter Rundschau, the newspaper claimed on Saturday, Dec. 13.

    Because the LBB is the country's largest creditor, said the paper, many customers of other banks are also affected by the data breach.

    Customers' names, addresses, credit card numbers, bank account numbers, transaction information and -- in some cases -- PIN numbers were included on the micro-fiches the Frankfurter Rundschau had received.

    The case "overshadows all previous cases in size and especially in the quality of data," Thilo Weichert, director of the Independent Center for Privacy Protection in Schleswig-Holstein, told the Berliner Zeitung. He said the LBB mishap was an "unbelievable and unique case."

    "The credit card accounts can be maxed out to their credit limit," added Weichert.

    Supposedly, the data leak originated with another company, AtosWorldline, which LBB had hired to do its accounting.

    Weichert criticized LBB's practice of passing sensitive data on to third parties, calling it an "Achilles' heal and enormous loss of control." The LBB is still legally responsible for the consequences, he said.

    source

  • Action group for an European Internet for citizens

    La Quadrature du Net (Squaring the Net) is citizen group informing about legislative projects menacing civil liberties as well as economic and social development in the digital age.

    La Quadrature du Net informs citizens, public authorities, organizations, corporations.

    It works with everyone to elaborate balanced alternative solutions.

    La Quadrature du Net is supported by French, european and international NGOs including the Electronic Frontier Foundation, the Open Society Institute and Privacy International.

    http://www.laquadrature.net/en/who-are-we

    The European community is planning a whole series of big changes in the way we use the internet and our rights on the European internet (if there will be any left). This website will inform you about what is happening and why.

  • Belgian tax control man uses Facebook information

    According to a news article there are some younger tax controllers in Belgium that use information that is being published on Facebook and other internetfora when someone is being thoroughly investigated for possible fraud or tax evasion.

    Well, if you say to the tax man that you don't earn much and on facebook you show pictures of your holidays in luxury destinations, that is asking for trouble when he knows how to google.

  • EID the privacy service is gone and how to bypass the new one....

    What was the problem ?

    The problem was that there was much publicity about a privacy firewall. It would warn you when an application tried to read the data on your EID chip and export it (to where-ever in XML for example to be combined with other stolen data). But that privacyfirewall is gone. It made some wrong expectations, they say ....

    What is the situation now ?  we citate

    "The privacy service was removed from the v3.5, and replaced by an access dialog warning the user the application is reading one of the ID-related files. This dialog is not displayed for applications built against a v2.6 runtime and off course the old privacy service is not present anymore. The old v2.6 application filtering is known to be "defunct" but part of the v2.6 runtime and still present for v2.6 applications. " source

    So this says my pentesting mind. § I make an application that is built upon the 2.6 runtime. Any new EID card will have no warning at all.... §

    should have put a warning that the application was in a 2.6 runtime environment and could read your data...... except if I understand it wrongly... please tell me I am wrong....  This would be too simple.... or not....